CVE-2025-53018 is a Server-Side Request Forgery (SSRF) vulnerability identified in Lychee, an open-source photo-management application. The vulnerability exists in versions prior to 6.6.13 within the `/api/v2/Photo::fromUrl` API endpoint. This endpoint accepts a user-supplied URL and uses PHP's fopen() function to fetch the resource server-side without any validation or restrictions. The absence of IP address validation, allow-listing, timeout, or size limits enables an attacker to coerce the backend server into making arbitrary HTTP requests to internal or external network resources. This can include internal services on localhost or cloud provider metadata endpoints, which are typically inaccessible from outside the network. Exploiting this flaw allows an attacker to perform internal network reconnaissance such as port scanning or to retrieve sensitive information like cloud instance metadata, potentially leading to further compromise. The vulnerability is classified under CWE-918 (Server-Side Request Forgery). Although the CVSS v3.1 base score is 3.0 (low severity), this rating reflects the requirement for low privileges and user interaction, as well as the limited direct impact on confidentiality, integrity, and availability. The vulnerability was publicly disclosed on June 27, 2025, and patched in Lychee version 6.6.13. No known exploits are reported in the wild at this time. The flaw highlights the risk of unsanitized user input in server-side HTTP requests and the importance of implementing strict validation and access controls on such functionality.

For European organizations using Lychee versions prior to 6.6.13, this SSRF vulnerability poses a risk primarily to internal network confidentiality. Attackers who can submit URLs to the vulnerable endpoint may leverage it to access internal services that are otherwise protected by network segmentation or firewalls. This includes sensitive internal APIs, databases, or cloud metadata services that could disclose credentials or configuration details. While the direct impact on data integrity or availability is minimal, the information gained through SSRF can facilitate lateral movement or privilege escalation within the network. Organizations operating in cloud environments (e.g., AWS, Azure, GCP) are particularly at risk of metadata exposure, which can lead to credential theft and broader compromise. The requirement for low privileges and user interaction means that attackers might exploit this vulnerability through social engineering or by compromising low-privilege accounts. Given Lychee's use case in managing photo libraries, organizations in media, education, or public sectors using this tool could be targeted to gain footholds or gather intelligence. Although no active exploitation is reported, the vulnerability should be treated seriously due to its potential to bypass network boundaries and access sensitive internal resources.

European organizations should immediately upgrade Lychee installations to version 6.6.13 or later, where the SSRF vulnerability is patched. If upgrading is not immediately feasible, organizations should implement network-level controls to restrict the application server's outbound HTTP requests, limiting them to only trusted external endpoints. Application-level mitigations include implementing strict URL validation and allow-listing to prevent requests to internal IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16) and cloud metadata IP addresses (e.g., 169.254.169.254). Additionally, applying timeouts and size limits on HTTP requests can reduce the risk of resource exhaustion. Monitoring and logging all outbound requests from the Lychee server can help detect anomalous or suspicious activity indicative of exploitation attempts. Employing Web Application Firewalls (WAFs) with SSRF detection rules can provide an additional layer of defense. Finally, educating users and administrators about the risks of SSRF and enforcing the principle of least privilege for accounts interacting with Lychee can reduce the attack surface.