CVE-2025-69206

Name of the Vulnerable Software and Affected Versions Hemmelig versions prior to 7.3.3

Description A Server-Side Request Forgery (SSRF) filter bypass exists in the webhook URL validation of the Secret Requests feature in Hemmelig, a messaging app with client-side encryption and self-destructing messages. The application attempts to block internal/private IP addresses but this can be bypassed using DNS rebinding or open redirect services. This allows an authenticated user to make the server initiate HTTP requests to internal network resources.

Recommendations Update to version 7.3.3 or later.