Summary
Koel's Subsonic createPodcastChannel.view endpoint accepts a user supplied podcast feed URL and fetches it server-side before applying the safe URL checks that are used for podcast episode enclosure URLs. An authenticated Subsonic API user can provide a loopback or internal URL as the feed URL and cause the Koel backend to issue a request to that address.
A related redirect gap exists in the podcast stream helper: PodcastService::getStreamableUrl() validates only the original URL, then lets Guzzle follow redirects and accepts the final redirected URL without re-validating it.
Impact
An attacker with any valid Koel account and Subsonic API key can trigger server-side requests from the Koel host to loopback or internal network services. This can be used for blind SSRF against internal HTTP endpoints reachable by the Koel deployment. If an internal service returns valid RSS/XML or permissive CORS responses, parts of the response or final URL may be reflected back through normal podcast or stream behavior.
Reproduction
- Start Koel v9.6.0 or current main and create a normal user.
- Obtain the user's Subsonic API key.
- Start a local canary HTTP server on the Koel host at
127.0.0.1:8103 that records requests and returns this minimal RSS feed:
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
<channel>
<title>Internal Canary Feed</title>
<link>https://example.com/</link>
<description>Internal feed SSRF canary</description>
<item>
<title>Episode One</title>
<guid>koel-internal-canary-episode-1</guid>
<pubDate>Mon, 01 Jun 2026 12:00:00 GMT</pubDate>
<enclosure url="https://example.com/episode.mp3" length="1" type="audio/mpeg" />
</item>
</channel>
</rss>
- Send an authenticated Subsonic request:
GET /rest/createPodcastChannel.view?apiKey=<SUBSONIC_API_KEY>&f=json&url=http://127.0.0.1:8103/feed.xml HTTP/1.1
Host: koel.example
- The endpoint returns a successful Subsonic response and the canary records a backend request:
GET /feed.xml
Unauthenticated control: the same request without a valid API key fails and does not hit the canary.
Redirect control for the stream helper: calling PodcastService::getStreamableUrl() with direct http://127.0.0.1:8102/secret returns null and makes no canary request. Calling it with a safe-looking public URL that redirects to http://127.0.0.1:8102/secret causes the backend to request OPTIONS /secret and returns the loopback final URL.
Root cause
app/Http/Requests/Subsonic/CreatePodcastChannelRequest.php validates url only as required|string|url. The controller passes it to PodcastService::addPodcast(), where PodcastService.php calls createParser($url) and Poddle::fromUrl($url, ...) before any Network::isSafeUrl() check. The enclosure URL guard in synchronizeEpisodes() runs later and only covers episode enclosure URLs, not the feed URL that was already fetched.
For streaming, PodcastService::getStreamableUrl() checks Network::isSafeUrl($url) on the original URL, then follows redirects with Guzzle and accepts the last redirect target from X-Guzzle-Redirect-History without validating that target.
Remediation
Validate the podcast feed URL with the same safe URL policy before Poddle::fromUrl() performs any request. Re-validate every redirect target before following it, or disable automatic redirects and manually fetch only targets that pass the safe URL policy. Apply the same redirect validation in getStreamableUrl(). Add regression tests for direct loopback and private IP feed URLs, DNS names resolving to private ranges, and public URL to loopback redirects.
References
Summary
Koel's Subsonic
createPodcastChannel.viewendpoint accepts a user supplied podcast feed URL and fetches it server-side before applying the safe URL checks that are used for podcast episode enclosure URLs. An authenticated Subsonic API user can provide a loopback or internal URL as the feed URL and cause the Koel backend to issue a request to that address.A related redirect gap exists in the podcast stream helper:
PodcastService::getStreamableUrl()validates only the original URL, then lets Guzzle follow redirects and accepts the final redirected URL without re-validating it.Impact
An attacker with any valid Koel account and Subsonic API key can trigger server-side requests from the Koel host to loopback or internal network services. This can be used for blind SSRF against internal HTTP endpoints reachable by the Koel deployment. If an internal service returns valid RSS/XML or permissive CORS responses, parts of the response or final URL may be reflected back through normal podcast or stream behavior.
Reproduction
127.0.0.1:8103that records requests and returns this minimal RSS feed:Unauthenticated control: the same request without a valid API key fails and does not hit the canary.
Redirect control for the stream helper: calling
PodcastService::getStreamableUrl()with directhttp://127.0.0.1:8102/secretreturnsnulland makes no canary request. Calling it with a safe-looking public URL that redirects tohttp://127.0.0.1:8102/secretcauses the backend to requestOPTIONS /secretand returns the loopback final URL.Root cause
app/Http/Requests/Subsonic/CreatePodcastChannelRequest.phpvalidatesurlonly asrequired|string|url. The controller passes it toPodcastService::addPodcast(), wherePodcastService.phpcallscreateParser($url)andPoddle::fromUrl($url, ...)before anyNetwork::isSafeUrl()check. The enclosure URL guard insynchronizeEpisodes()runs later and only covers episode enclosure URLs, not the feed URL that was already fetched.For streaming,
PodcastService::getStreamableUrl()checksNetwork::isSafeUrl($url)on the original URL, then follows redirects with Guzzle and accepts the last redirect target fromX-Guzzle-Redirect-Historywithout validating that target.Remediation
Validate the podcast feed URL with the same safe URL policy before
Poddle::fromUrl()performs any request. Re-validate every redirect target before following it, or disable automatic redirects and manually fetch only targets that pass the safe URL policy. Apply the same redirect validation ingetStreamableUrl(). Add regression tests for direct loopback and private IP feed URLs, DNS names resolving to private ranges, and public URL to loopback redirects.References