Linkwarden Server-Side Request Forgery Vulnerability in Link Creation and Archive Processing

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Linkwarden, a self-hosted collaborative bookmark manager, prior to version 2.13.0. The vulnerability arises in the fetchTitleAndHeaders function, where insufficient URL validation allows authenticated users to make arbitrary HTTP requests to internal services. The function only checks for 'http://' or 'https://' prefixes, enabling access to internal Docker services, cloud metadata endpoints, and other internal network resources. In environments with cloud metadata services, this could lead to credential theft and further system compromise.

Impact

Exploitation of this vulnerability allows access to internal Docker services and cloud metadata endpoints, potentially leading to credential theft. In the tested Docker environment, access to Meilisearch endpoints was possible, retrieving service status information. In production environments with cloud metadata services (AWS, GCP, Azure), this vulnerability could allow theft of IAM role credentials or GCP service account tokens, depending on the instance's configuration.

Reproduction

To reproduce this vulnerability, deploy Linkwarden on an AWS EC2 instance with an attached IAM role. After authenticating, navigate to the link creation interface. Create a new link with a URL pointing to the AWS metadata endpoint for IAM security credentials. Once the link is created, access it through the frontend or via the API, which will return the IAM role credentials.

Remediation

Users are advised to update to Linkwarden version 2.13.0 or later, where this vulnerability has been patched.