PT-2026-30682 · Npm · Postiz

Published

2026-03-27

·

Updated

2026-03-27

CVSS v4.0

7.8

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N

Summary

Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection.

Vulnerable Code

1. Webhook Send Endpoint (Most Critical)

apps/backend/src/api/routes/webhooks.controller.ts lines 58-70:
typescript
async sendWebhook(@Body() body: any, @Query('url') url: string) {
 try {
  await fetch(url, { // No URL validation
   method: 'POST',
   body: JSON.stringify(body),
   headers: { 'Content-Type': 'application/json' },
  });
 } catch (err) { }
 return { send: true };
}
Accepts arbitrary URL via query parameter and fetches directly.

2. Stored Webhook Delivery

apps/orchestrator/src/activities/post.activity.ts lines 256-281:
typescript
async sendWebhooks(postId: string, orgId: string, integrationId: string) {
 const webhooks = await this. webhookService.getWebhooks(orgId);
 return Promise.all(
  webhooks.map(async (webhook) => {
   await fetch(webhook.url, { // Stored URL, no validation
    method: 'POST',
    body: JSON.stringify(post),
   });
  })
 );
}

3. RSS/XML Feed Parser

libraries/nestjs-libraries/src/database/prisma/autopost/autopost.service.ts line 135:
typescript
async loadXML(url: string) {
 const { items } = await parser.parseURL(url); // No URL validation
}

4. HTML Content Loader

libraries/nestjs-libraries/src/database/prisma/autopost/autopost.service.ts line 185:
typescript
async loadUrl(url: string) {
 const loadDom = new JSDOM(await (await fetch(url)).text()); // No validation
}

Missing Protections

  • No request-filtering-agent or SSRF library
  • No private IP range filtering
  • No cloud metadata endpoint blocking
  • No DNS rebinding protection
  • URL validation only via @IsUrl() decorator (format only, no IP check)

Attack Scenarios

  1. POST /webhooks/send?url=http://169.254.169.254/latest/meta-data/ → AWS metadata theft
  2. POST /autopost/send?url=http://127.0.0.1:6379 → Internal Redis access
  3. Create webhook with http://10.0.0.1:8080/admin → Internal service access on post publish

Impact

  • Cloud metadata theft: AWS/GCP/Azure credentials
  • Internal network scanning: Full access to private IP ranges
  • Multiple entry points: Webhooks, RSS feeds, URL loader all vulnerable

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

GHSA-89V5-38XR-9M4J

Affected Products

Postiz