CVE-2026-33693

Name of the Vulnerable Software and Affected Versions Lemmy versions prior to 0.7.0-beta.9

Description The v4 is invalid() function within the activitypub-federation-rust component does not adequately validate IPv4 addresses, specifically failing to check for Ipv4Addr::UNSPECIFIED (0.0.0.0). This allows an unauthenticated attacker who controls a remote domain to bypass Server-Side Request Forgery (SSRF) protections and access services running on the target server's localhost. The issue stems from an oversight in the v4 is invalid() function, which omits checking for unspecified IP addresses. Additionally, a DNS rebinding Time-of-Check-Time-of-Use (TOCTOU) vulnerability exists where DNS resolution is performed twice, allowing an attacker to manipulate the resolved IP address between the validation and connection stages. This could potentially allow access to cloud instance metadata or internal services.

Recommendations Update to Lemmy version 0.7.0-beta.9 or later to address the issue. Ensure the v4 is invalid() function includes a check for v4.is unspecified() to block 0.0.0.0. To mitigate the DNS rebinding TOCTOU vulnerability, pin the resolved IP address during client creation.