Lemmy ActivityPub Federation Library Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Lemmy, a link aggregator and forum for the fediverse, through its dependency on activitypub_federation, a Rust framework for ActivityPub federation. This vulnerability affects versions of Lemmy prior to 0.19.16. The issue arises in the GET /api/v4/image/{filename} endpoint, which is susceptible to unauthenticated SSRF via parameter injection in the file_type query parameter. An attacker can exploit this by injecting arbitrary query parameters into the internal request to pict-rs, including the proxy parameter, which directs pict-rs to fetch arbitrary URLs. The vulnerability has been patched in version 0.19.16.

Impact

Exploitation allows an unauthenticated attacker to access cloud metadata services from the pict-rs service, scan and interact with internal services on the Docker network, and bypass validation checks on the image_proxy endpoint.

Reproduction

To reproduce this vulnerability, send a GET request to the /api/v4/image/ endpoint with a crafted file_type query parameter that includes a proxy URL pointing to an internal or metadata service. The pict-rs service will fetch the URL, demonstrating the SSRF vulnerability.

Remediation

Users can update to Lemmy version 0.19.16 or later, where this vulnerability has been patched.