Elliot Courant

**Name of the Vulnerable Software and Affected Versions** monetr versions prior to 1.12.5 **Description** A server-side request forgery (SSRF) issue in the Lunch Flow integration allows authenticated users on self-hosted instances to force the server to send HTTP GET requests to arbitrary URLs. The response body from non-200 upstream responses is reflected in the API error message. The URL validator for the 'POST /api/lunch flow/link' endpoint only verified the URL scheme and rejected query parameters, failing to filter loopback, RFC1918, link-local, or cloud-provider metadata addresses. In cloud environments, this could expose instance metadata. Additionally, a denial-of-service vector exists because the outbound response body is read without a size limit, allowing a large response to exhaust server memory. **Recommendations** Update to version 1.12.5 or later. Set `MONETR ALLOW SIGN UP=false` to disable public sign-up. Set `lunchFlow.enabled: false` in the configuration file to disable Lunch Flow entirely. Restrict outbound HTTP egress from the container to only legitimate Lunch Flow hosts. On AWS EC2, enforce IMDSv2 to prevent cloud-metadata exfiltration.