Skip to content

Koel has SSRF through Authenticated Subsonic podcast feed URLs

Moderate severity GitHub Reviewed Published Jun 4, 2026 in koel/koel • Updated Jul 15, 2026

Package

composer phanan/koel (Composer)

Affected versions

<= 9.6.0

Patched versions

9.7.0

Description

Summary

Koel's Subsonic createPodcastChannel.view endpoint accepts a user supplied podcast feed URL and fetches it server-side before applying the safe URL checks that are used for podcast episode enclosure URLs. An authenticated Subsonic API user can provide a loopback or internal URL as the feed URL and cause the Koel backend to issue a request to that address.

A related redirect gap exists in the podcast stream helper: PodcastService::getStreamableUrl() validates only the original URL, then lets Guzzle follow redirects and accepts the final redirected URL without re-validating it.

Impact

An attacker with any valid Koel account and Subsonic API key can trigger server-side requests from the Koel host to loopback or internal network services. This can be used for blind SSRF against internal HTTP endpoints reachable by the Koel deployment. If an internal service returns valid RSS/XML or permissive CORS responses, parts of the response or final URL may be reflected back through normal podcast or stream behavior.

Reproduction

  1. Start Koel v9.6.0 or current main and create a normal user.
  2. Obtain the user's Subsonic API key.
  3. Start a local canary HTTP server on the Koel host at 127.0.0.1:8103 that records requests and returns this minimal RSS feed:
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
  <channel>
    <title>Internal Canary Feed</title>
    <link>https://example.com/</link>
    <description>Internal feed SSRF canary</description>
    <item>
      <title>Episode One</title>
      <guid>koel-internal-canary-episode-1</guid>
      <pubDate>Mon, 01 Jun 2026 12:00:00 GMT</pubDate>
      <enclosure url="https://example.com/episode.mp3" length="1" type="audio/mpeg" />
    </item>
  </channel>
</rss>
  1. Send an authenticated Subsonic request:
GET /rest/createPodcastChannel.view?apiKey=<SUBSONIC_API_KEY>&f=json&url=http://127.0.0.1:8103/feed.xml HTTP/1.1
Host: koel.example
  1. The endpoint returns a successful Subsonic response and the canary records a backend request:
GET /feed.xml

Unauthenticated control: the same request without a valid API key fails and does not hit the canary.

Redirect control for the stream helper: calling PodcastService::getStreamableUrl() with direct http://127.0.0.1:8102/secret returns null and makes no canary request. Calling it with a safe-looking public URL that redirects to http://127.0.0.1:8102/secret causes the backend to request OPTIONS /secret and returns the loopback final URL.

Root cause

app/Http/Requests/Subsonic/CreatePodcastChannelRequest.php validates url only as required|string|url. The controller passes it to PodcastService::addPodcast(), where PodcastService.php calls createParser($url) and Poddle::fromUrl($url, ...) before any Network::isSafeUrl() check. The enclosure URL guard in synchronizeEpisodes() runs later and only covers episode enclosure URLs, not the feed URL that was already fetched.

For streaming, PodcastService::getStreamableUrl() checks Network::isSafeUrl($url) on the original URL, then follows redirects with Guzzle and accepts the last redirect target from X-Guzzle-Redirect-History without validating that target.

Remediation

Validate the podcast feed URL with the same safe URL policy before Poddle::fromUrl() performs any request. Re-validate every redirect target before following it, or disable automatic redirects and manually fetch only targets that pass the safe URL policy. Apply the same redirect validation in getStreamableUrl(). Add regression tests for direct loopback and private IP feed URLs, DNS names resolving to private ranges, and public URL to loopback redirects.

References

@phanan phanan published to koel/koel Jun 4, 2026
Published to the GitHub Advisory Database Jul 15, 2026
Reviewed Jul 15, 2026
Last updated Jul 15, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS score

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-8q6q-m837-fv64

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.