Nutomic

**Name of the Vulnerable Software and Affected Versions** Lemmy versions prior to 0.19.18 **Description** An authenticated low-privileged user can trigger server-side HTTP requests toward internal services. This occurs when a user creates a link post in a public community via the "POST /api/v3/post" endpoint. The backend asynchronously sends a Webmention to the target link, but the system fails to reject loopback, private, or link-local destinations. The `url` variable is validated for syntax and scheme using the `is valid url()` function, but it does not implement internal address rejection, allowing the application server to be used as a blind Server-Side Request Forgery (SSRF) primitive. SSRF is a flaw where an attacker can force a server to make requests to an unintended location, often bypassing network security controls to reach internal systems. **Recommendations** Update to version 0.19.18.

**Name of the Vulnerable Software and Affected Versions** Lemmy versions prior to 0.19.18 **Description** Lemmy fetches metadata for user-supplied post URLs and, when using the default `StoreLinkPreviews` image mode, downloads preview images via local pict-rs. While the initial top-level page URL is checked against internal IP ranges, the extracted `og:image` URL is not subject to this restriction. This allows an authenticated low-privileged user to submit a public page where the Open Graph image points to an internal image endpoint. The server will then fetch the internal image and store a local thumbnail that can be served back to users. This process involves the `extract opengraph data()` function accepting absolute values and `generate post link metadata()` passing the URL to `generate pictrs thumbnail()`, which requests the image through the 'image/download?url=...' endpoint. This can be used to retrieve internal image resources and expose content reachable only from the application host. **Recommendations** Update to version 0.19.18.