Server-Side Request Forgery in LinkAce by Kovah
CVE-2025-62719

2.3LOW

Key Information:

Vendor

Kovah

Status
Linkace
Vendor
CVE Published:
4 November 2025

What is CVE-2025-62719?

LinkAce, a self-hosted tool designed to archive website links, has a vulnerability in versions 2.3.0 and earlier due to the htmlKeywordsFromUrl function in the FetchController class. This function permits unauthenticated users to send URLs that it fetches without verifying if those endpoints belong to internal or private networks. As a result, this flaw can be exploited by authenticated attackers to utilize the server for port scanning and discovering services on internal networks, posing a risk to network security. Although the impact is limited as the function retrieves only HTML meta keyword content, it still raises concerns about network vulnerability. This issue has been addressed in version 2.4.0.

Affected Version(s)

LinkAce < 2.4.0

References

https://github.com/Kovah/LinkAce/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/Kovah/LinkAce/commit/4e0b822163ccefc26...
x_refsource_MISC
http://github.com/Kovah/LinkAce/releases/tag/v2.4.0
x_refsource_MISC

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-62719 : Server-Side Request Forgery in LinkAce by Kovah