Lychee Photo Management Tool Loopback and Link-Local IP Bypass Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Lychee, a free and open-source photo management tool, in versions prior to 7.5.1. The issue arises from an incomplete IP validation check in the 'Photo::fromUrl' function, which fails to block loopback addresses (such as 127.0.0.1) and link-local addresses (including the AWS EC2 instance metadata endpoint). This vulnerability allows authenticated users to access internal services using direct IP addresses, bypassing all protection configuration settings, even when they are set to their secure defaults.

Impact

Exploitation of this vulnerability allows authenticated users to access internal HTTP services on loopback addresses, bypassing security configurations. In cloud environments, it could also enable access to sensitive instance metadata and credentials.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/api/v2/Photo::fromUrl' endpoint. Include a URL that points to a loopback address or a link-local address, such as the AWS metadata endpoint. This request will bypass the application's IP validation checks and access internal services.

Remediation

Users can update to Lychee version 7.5.1 or later, where this vulnerability has been fixed.