{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53018", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-06-24T03:50:36.796Z", "datePublished": "2025-06-27T13:00:14.086Z", "dateUpdated": "2025-06-27T13:58:56.661Z"}, "containers": {"cna": {"title": "Lychee has Server-Side Request Forgery (SSRF) in Photo::fromUrl API via unvalidated remote image URLs", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v"}, {"name": "https://github.com/LycheeOrg/Lychee/commit/9dc162eefe56ce185ac1d59da42ee557933d914d", "tags": ["x_refsource_MISC"], "url": "https://github.com/LycheeOrg/Lychee/commit/9dc162eefe56ce185ac1d59da42ee557933d914d"}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"version": "< 6.6.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-27T13:00:14.086Z"}, "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application\u2019s backend to make HTTP requests to any URL they choose. Consequently, internal network resources\u2014such as localhost services or cloud-provider metadata endpoints\u2014become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue."}], "source": {"advisory": "GHSA-cpgw-wgf3-xc6v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-27T13:58:53.801963Z", "id": "CVE-2025-53018", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-27T13:58:56.661Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53018", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-27T13:58:53.801963Z"}}}], "references": [{"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-27T13:58:49.549Z"}}], "cna": {"title": "Lychee has Server-Side Request Forgery (SSRF) in Photo::fromUrl API via unvalidated remote image URLs", "source": {"advisory": "GHSA-cpgw-wgf3-xc6v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "LycheeOrg", "product": "Lychee", "versions": [{"status": "affected", "version": "< 6.6.13"}]}], "references": [{"url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v", "name": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LycheeOrg/Lychee/commit/9dc162eefe56ce185ac1d59da42ee557933d914d", "name": "https://github.com/LycheeOrg/Lychee/commit/9dc162eefe56ce185ac1d59da42ee557933d914d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application\u2019s backend to make HTTP requests to any URL they choose. Consequently, internal network resources\u2014such as localhost services or cloud-provider metadata endpoints\u2014become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-27T13:00:14.086Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53018", "state": "PUBLISHED", "dateUpdated": "2025-06-27T13:58:56.661Z", "dateReserved": "2025-06-24T03:50:36.796Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-27T13:00:14.086Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application\u2019s backend to make HTTP requests to any URL they choose. Consequently, internal network resources\u2014such as localhost services or cloud-provider metadata endpoints\u2014become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue."}, {"lang": "es", "value": "Lychee es una herramienta gratuita y de c\u00f3digo abierto para la gesti\u00f3n de fotos. Antes de la versi\u00f3n 6.6.13, exist\u00eda una vulnerabilidad cr\u00edtica de Server-Side Request Forgery (SSRF) en el endpoint `/api/v2/Photo::fromUrl`. Esta falla permite a un atacante indicar al backend de la aplicaci\u00f3n que realice solicitudes HTTP a cualquier URL. En consecuencia, se puede acceder a recursos internos de la red, como servicios de host local o endpoints de metadatos de proveedores de la nube. El endpoint toma una URL del usuario y la llama desde el servidor mediante fopen() sin ninguna protecci\u00f3n. No hay validaci\u00f3n de direcci\u00f3n IP, ni restricciones de lista de permitidos, tiempo de espera ni tama\u00f1o. Gracias a esto, los atacantes pueden apuntar la aplicaci\u00f3n a objetivos internos. Con esta falla, un atacante puede realizar escaneos de puertos internos o recuperar metadatos confidenciales de la nube. La versi\u00f3n 6.6.13 incluye un parche para este problema."}], "id": "CVE-2025-53018", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.0, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-27T13:15:24.803", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/LycheeOrg/Lychee/commit/9dc162eefe56ce185ac1d59da42ee557933d914d"}, {"source": "security-advisories@github.com", "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-cpgw-wgf3-xc6v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-07-06T22:16:27.025248+00:00", "updated": "2025-07-06T22:16:27.025303+00:00", "vendors": ["lycheeorg", "lycheeorg$PRODUCT$lychee"]}