CVE-2025-53018

Name of the Vulnerable Software and Affected Versions: Lychee versions prior to 6.6.13

Description: A critical Server-Side Request Forgery (SSRF) issue exists in the "/api/v2/Photo::fromUrl" endpoint, allowing an attacker to instruct the application's backend to make HTTP requests to any URL they choose. This enables access to internal network resources, such as localhost services or cloud-provider metadata endpoints. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards, including IP address validation, allow-list, timeout, or size restrictions. Attackers can use this flaw to perform internal port scans or retrieve sensitive cloud metadata.

Recommendations: For versions prior to 6.6.13, update to version 6.6.13 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/v2/Photo::fromUrl" endpoint until the patch is applied. Avoid using the URL variable in the affected API endpoint until the issue is resolved.