Plataforma
nodejs
Componente
postiz-app
Corregido en
1.45.2
CVE-2025-53641 describes a server-side request forgery (SSRF) vulnerability discovered in Postiz, an AI social media scheduling tool. This flaw allows attackers to inject arbitrary HTTP headers, potentially leading to unauthorized outbound requests originating from the Postiz server. The vulnerability affects versions 1.45.1 through 1.62.2 and has been resolved in version 1.62.3.
The SSRF vulnerability in Postiz allows an attacker to craft malicious HTTP requests through the injection of arbitrary headers. This can be exploited to access internal resources that are not publicly accessible, potentially exposing sensitive data or allowing the attacker to interact with internal services. An attacker could, for example, scan internal network ranges, attempt to access cloud metadata services, or even interact with internal APIs. The blast radius extends to any internal systems accessible via outbound HTTP requests from the Postiz server, making this a potentially serious security risk.
This vulnerability was publicly disclosed on 2025-07-11. There is no indication of active exploitation campaigns at this time, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are currently unavailable, but the SSRF nature of the vulnerability makes it likely that one will be developed. The EPSS score is pending evaluation.
Organizations using Postiz for social media scheduling, particularly those with sensitive internal data or systems accessible via outbound HTTP requests, are at risk. Shared hosting environments where Postiz is installed alongside other applications may also be vulnerable, as a compromise of one application could potentially lead to exploitation of this SSRF vulnerability.
• nodejs: Monitor Postiz application logs for unusual outbound HTTP requests, particularly those originating from internal IP addresses or containing unexpected headers.
grep -i 'internal.ip.address' /var/log/postiz/access.log• generic web: Use curl to test for SSRF by attempting to access internal resources through the Postiz application.
curl -H "X-Custom-Header: http://169.254.169.254/latest/meta-data/" http://<postiz_server_ip>• generic web: Examine Postiz's access and error logs for any signs of header injection attempts or unusual outbound requests.
disclosure
Estado del Exploit
EPSS
0.05% (14% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-53641 is to immediately upgrade Postiz to version 1.62.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) to filter out requests containing suspicious HTTP headers. Specifically, look for patterns indicative of header injection attempts. Additionally, review Postiz's configuration to ensure it adheres to the principle of least privilege, limiting its access to external resources. After upgrading, confirm the fix by attempting to trigger an outbound request with a crafted HTTP header and verifying that it is blocked or handled securely.
Actualice la aplicación Postiz a la versión 1.62.3 o superior. Esta versión contiene una corrección para la vulnerabilidad SSRF que permite la inyección de encabezados HTTP arbitrarios. La actualización mitigará el riesgo de que un atacante inicie solicitudes no autorizadas desde el servidor.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-53641 is a HIGH severity SSRF vulnerability affecting Postiz versions 1.45.1 through 1.62.2, allowing attackers to inject HTTP headers and potentially initiate unauthorized outbound requests.
You are affected if you are running Postiz versions 1.45.1 to 1.62.2. Upgrade to version 1.62.3 or later to resolve the vulnerability.
Upgrade Postiz to version 1.62.3 or later. As a temporary workaround, implement a WAF to filter suspicious HTTP headers.
There is currently no evidence of active exploitation, but the SSRF nature of the vulnerability makes it a potential target.
Refer to the Postiz security advisory for detailed information and updates regarding CVE-2025-53641.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.