प्लेटफ़ॉर्म
rust
घटक
lemmy_routes
में ठीक किया गया
0.19.17
0.19.16
CVE-2026-29178 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the lemmy_routes component of Lemmy. This vulnerability allows an unauthenticated attacker to inject arbitrary query parameters into internal requests made by the pict-rs library, potentially enabling them to fetch sensitive data from internal resources or external URLs. The vulnerability impacts Lemmy versions before 0.19.16, and a patch has been released to address the issue.
The SSRF vulnerability in Lemmy allows attackers to bypass security controls and make requests to internal or external resources as if they were originating from the Lemmy server. By injecting the proxy parameter into the file_type query parameter of the /api/v4/image/{filename} endpoint, an attacker can force Lemmy to fetch arbitrary URLs. This could lead to the exposure of sensitive internal data, such as configuration files or database credentials, or even allow an attacker to interact with other internal services. The blast radius extends to any internal resources accessible from the Lemmy server, potentially compromising the entire infrastructure.
This vulnerability was publicly disclosed on 2026-03-04. Currently, there are no known active campaigns exploiting this specific CVE. No public proof-of-concept (POC) code has been released, but the SSRF nature of the vulnerability makes it relatively easy to exploit. The vulnerability is not currently listed on the CISA KEV catalog.
Lemmy instances running versions prior to 0.19.16 are at risk. This includes self-hosted instances, as well as those hosted on shared infrastructure where the server environment might be less controlled. Instances that expose internal services accessible via HTTP are particularly vulnerable.
• linux / server:
journalctl -u lemmy -f | grep "proxy="• generic web:
curl -I http://your-lemmy-instance/api/v4/image/test.jpg?file_type=image/png&proxy=http://example.comdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (17% शतमक)
CISA SSVC
The primary mitigation for CVE-2026-29178 is to upgrade Lemmy to version 0.19.16 or later, which includes a fix for the vulnerability. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file_type parameters with the proxy parameter. Additionally, review and restrict network access for the Lemmy server to minimize the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to access an external URL via the vulnerable endpoint and verifying that the request is blocked or handled securely.
लेमी को संस्करण 0.19.16 या उच्चतर में अपडेट करें। यह संस्करण इमेज एंडपॉइंट में SSRF भेद्यता को ठीक करता है, क्वेरी पैरामीटर को सही ढंग से मान्य करके। अपडेट आंतरिक रूप से pict-rs को मनमाना पैरामीटर इंजेक्ट करने से हमलावरों को रोकता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-29178 is a Server-Side Request Forgery vulnerability in the Lemmy lemmy_routes component, allowing attackers to make requests to internal or external resources as the Lemmy server.
You are affected if you are running Lemmy versions prior to 0.19.16. Upgrade to the latest version to mitigate the risk.
Upgrade Lemmy to version 0.19.16 or later. As a temporary workaround, implement a WAF rule to block suspicious file_type parameters.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it potentially exploitable.
Refer to the Lemmy project's official security advisories and release notes for details: [https://github.com/LemmyNet/lemmy/releases](https://github.com/LemmyNet/lemmy/releases)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी Cargo.lock फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।