Lychee DNS Rebinding Vulnerability Bypasses SSRF Protection

A server-side request forgery (SSRF) vulnerability has been identified in Lychee versions prior to 7.5.2. The issue arises in the PhotoUrlRule.php file, where the SSRF protection can be bypassed through DNS rebinding. The vulnerability exists because the IP validation only triggers when the hostname is an IP address. When a domain name is used, the validation is skipped, allowing the server to make requests to internal IPs or localhost services.

Impact

Exploitation of this vulnerability allows authenticated users to access internal HTTP services, cloud metadata endpoints, and localhost services from the Lychee server.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and use a DNS service that resolves to localhost, such as '127.0.0.1.nip.io'. Then, send a POST request to '/api/v2/Photo::fromUrl' with a URL that points to an internal endpoint via the resolved hostname. The server will resolve the hostname to '127.0.0.1' and make the request to localhost, demonstrating the SSRF bypass.

Remediation

Users can update to Lychee version 7.5.2 or later, where this vulnerability has been patched.