File tree Expand file tree Collapse file tree 1 file changed +5
-3
lines changed
Expand file tree Collapse file tree 1 file changed +5
-3
lines changed Original file line number Diff line number Diff line change @@ -36,9 +36,11 @@ Released on Dec 11th, 2025
3636
3737#### Minor Reflected SSRF fix
3838
39- We have been reported (CVE incomming) that a minor SSRF vulnerability was still present in Lychee.
40- The patch from v6.6.13 did not fully mitigate the issue as an edge cases as not considered.
41- The validation is done on the first URL, however if the URL is redirected, the redirection target was not validated against local network etc.
39+ We have been reported (CVE incoming) that a minor SSRF vulnerability was still present in Lychee.
40+ The patch from v6.6.13 did not fully mitigate the issue because an edge case had not been considered.
41+ Validation is done on the initial URL; however, if the URL is redirected, the redirection target was not validated against local network etc.
42+ To fix this, we added a new _ expert_ configuration option in the admin section which disables following redirects when importing from URL.
43+
4244
4345A big thanks to TableBasse, midfirewear, and petouha for reporting this vulnerability to us.
4446
You can’t perform that action at this time.
0 commit comments