Lemmy Blind Server-Side Request Forgery Vulnerability in Webmention Dispatch

A blind server-side request forgery (SSRF) vulnerability has been identified in Lemmy versions prior to 0.19.18. This issue allows an authenticated low-privileged user to exploit the Webmention feature by sending a link post to a public community. The vulnerability arises because the application does not properly validate the URL before dispatching the Webmention, allowing internal or loopback addresses to be targeted. As a result, an attacker can trigger server-side HTTP requests to internal services, potentially leading to unauthorized access or manipulation of internal resources.

Impact

Exploitation of this vulnerability allows authenticated users to use the Lemmy server to make blind HTTP requests to internal services, bypassing external network restrictions. This could expose internal service availability, trigger webhooks or administrative functions, and increase the overall attack surface.

Reproduction

To reproduce this vulnerability, an authenticated low-privileged user can create a post in a public community using the 'POST /api/v3/post' endpoint. The 'url' field can be set to an internal or loopback address, such as '127.0.0.1:8081'. After the post is submitted, the Lemmy server will asynchronously send a Webmention to the specified URL, effectively performing a server-side request to the internal service.

Remediation

Users are advised to update Lemmy to version 0.19.18 or later, where this vulnerability has been patched.