Lemmy Open Graph Image SSRF Vulnerability Allowing Internal Image Disclosure

A server-side request forgery (SSRF) vulnerability has been identified in Lemmy versions prior to 0.19.18. This issue arises because Lemmy fetches metadata from user-supplied post URLs and, by default, downloads preview images through a local image processing service. While the main URL is validated against internal IP ranges, the extracted Open Graph image URL bypasses this check. Consequently, an authenticated low-privileged user can exploit this by submitting a public page that points to an internal image endpoint. Lemmy will then fetch the internal image, store a local thumbnail, and serve it to users.

Impact

Exploitation of this vulnerability allows an authenticated low-privileged user to access and retrieve internal image resources from the Lemmy server. The fetched images are cached and can be served to other users, effectively exposing internal content through the platform's thumbnail service.

Reproduction

To reproduce this vulnerability, an authenticated low-privileged user can create a post with a URL that points to a controlled public page. This page should include an Open Graph image tag referencing an internal image URL accessible from the Lemmy server. Once the post is published, Lemmy will fetch the internal image via the local image processing service, demonstrating the successful exploitation of the SSRF vulnerability.

Remediation

Users should update to Lemmy version 0.19.18 or later, where this vulnerability has been patched.