Server-Side Request Forgery Vulnerability in Lemmy Forum by LemmyNet
CVE-2025-25194

4MEDIUM

Key Information:

Vendor: Lemmynet
Status: Lemmy
Vendor: CVE Published:; 10 February 2025

What is CVE-2025-25194?

Lemmy, an innovative link aggregator and forum platform, is susceptible to a server-side request forgery due to its reliance on the activitypub_federation framework. This security flaw allows attackers to circumvent predefined hardcoded URL paths and mechanisms designed to prevent unauthorized local requests. Specifically, users can exploit this vulnerability to send arbitrary GET requests to any server, exposing sensitive information and potentially manipulating remote services. As of now, no patch has been released to address this issue.

Affected Version(s)

lemmy <= 0.19.8

References

https://github.com/LemmyNet/lemmy/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2025
Vulnerability Reserved
Feb 3, 2025

CVE-2025-25194 Data

JSON

Lemmynet

What is CVE-2025-25194?

Affected Version(s)

References

CVSS V3.1

Timeline