CVE-2026-33693: CWE-918: Server-Side Request Forgery (SSRF) in LemmyNet lemmy
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue.
AI Analysis
Technical Summary
LemmyNet's lemmy software versions before 0.7.0-beta.9 contain an SSRF vulnerability (CWE-918) due to incomplete validation in the v4_is_invalid() function, which fails to reject the IPv4 unspecified address 0.0.0.0. An attacker controlling a remote domain can exploit this to bypass prior SSRF protections and reach internal localhost services on the server. The vulnerability has a CVSS 3.1 base score of 6.5 (medium severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts confidentiality and integrity. The issue was addressed in version 0.7.0-beta.9.
Potential Impact
An unauthenticated attacker can exploit this SSRF vulnerability to send requests from the vulnerable Lemmy server to internal localhost services that are normally inaccessible externally. This could lead to unauthorized information disclosure or manipulation of internal services, impacting confidentiality and integrity. There is no indication of availability impact or known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Lemmy to version 0.7.0-beta.9 or later, where the vulnerability is patched. Since this is not a cloud service, users must apply the update themselves. Patch status is confirmed by the vendor's versioning information. No additional mitigations are specified or required beyond applying the official fix.
CVE-2026-33693: CWE-918: Server-Side Request Forgery (SSRF) in LemmyNet lemmy
Description
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LemmyNet's lemmy software versions before 0.7.0-beta.9 contain an SSRF vulnerability (CWE-918) due to incomplete validation in the v4_is_invalid() function, which fails to reject the IPv4 unspecified address 0.0.0.0. An attacker controlling a remote domain can exploit this to bypass prior SSRF protections and reach internal localhost services on the server. The vulnerability has a CVSS 3.1 base score of 6.5 (medium severity) with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts confidentiality and integrity. The issue was addressed in version 0.7.0-beta.9.
Potential Impact
An unauthenticated attacker can exploit this SSRF vulnerability to send requests from the vulnerable Lemmy server to internal localhost services that are normally inaccessible externally. This could lead to unauthorized information disclosure or manipulation of internal services, impacting confidentiality and integrity. There is no indication of availability impact or known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Lemmy to version 0.7.0-beta.9 or later, where the vulnerability is patched. Since this is not a cloud service, users must apply the update themselves. Patch status is confirmed by the vendor's versioning information. No additional mitigations are specified or required beyond applying the official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T16:34:59.932Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c5d2fe3c064ed76ff4047c
Added to database: 3/27/2026, 12:44:46 AM
Last enriched: 4/3/2026, 1:11:26 PM
Last updated: 5/11/2026, 7:00:29 AM
Views: 72
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.