Platform
nodejs
Component
postiz-app
Fixed in
1.45.2
CVE-2025-53641 describes a server-side request forgery (SSRF) vulnerability discovered in Postiz, an AI social media scheduling tool. This flaw allows attackers to inject arbitrary HTTP headers, potentially leading to unauthorized outbound requests originating from the Postiz server. The vulnerability affects versions 1.45.1 through 1.62.2 and has been resolved in version 1.62.3.
The SSRF vulnerability in Postiz allows an attacker to craft malicious HTTP requests through the injection of arbitrary headers. This can be exploited to access internal resources that are not publicly accessible, potentially exposing sensitive data or allowing the attacker to interact with internal services. An attacker could, for example, scan internal network ranges, attempt to access cloud metadata services, or even interact with internal APIs. The blast radius extends to any internal systems accessible via outbound HTTP requests from the Postiz server, making this a potentially serious security risk.
This vulnerability was publicly disclosed on 2025-07-11. There is no indication of active exploitation campaigns at this time, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are currently unavailable, but the SSRF nature of the vulnerability makes it likely that one will be developed. The EPSS score is pending evaluation.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-53641 is to immediately upgrade Postiz to version 1.62.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) to filter out requests containing suspicious HTTP headers. Specifically, look for patterns indicative of header injection attempts. Additionally, review Postiz's configuration to ensure it adheres to the principle of least privilege, limiting its access to external resources. After upgrading, confirm the fix by attempting to trigger an outbound request with a crafted HTTP header and verifying that it is blocked or handled securely.
Update the Postiz application to version 1.62.3 or higher. This version contains a fix for the SSRF vulnerability that allows HTTP header injection. The update will mitigate the risk of an attacker initiating unauthorized requests from the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-53641 is a HIGH severity SSRF vulnerability affecting Postiz versions 1.45.1 through 1.62.2, allowing attackers to inject HTTP headers and potentially initiate unauthorized outbound requests.
You are affected if you are running Postiz versions 1.45.1 to 1.62.2. Upgrade to version 1.62.3 or later to resolve the vulnerability.
Upgrade Postiz to version 1.62.3 or later. As a temporary workaround, implement a WAF to filter suspicious HTTP headers.
There is currently no evidence of active exploitation, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the Postiz security advisory for detailed information and updates regarding CVE-2025-53641.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.