プラットフォーム
rust
コンポーネント
lemmy_routes
修正版
0.19.17
0.19.16
CVE-2026-29178 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the lemmy_routes component of Lemmy. This vulnerability allows an unauthenticated attacker to inject arbitrary query parameters into internal requests made by the pict-rs library, potentially enabling them to fetch sensitive data from internal resources or external URLs. The vulnerability impacts Lemmy versions before 0.19.16, and a patch has been released to address the issue.
The SSRF vulnerability in Lemmy allows attackers to bypass security controls and make requests to internal or external resources as if they were originating from the Lemmy server. By injecting the proxy parameter into the file_type query parameter of the /api/v4/image/{filename} endpoint, an attacker can force Lemmy to fetch arbitrary URLs. This could lead to the exposure of sensitive internal data, such as configuration files or database credentials, or even allow an attacker to interact with other internal services. The blast radius extends to any internal resources accessible from the Lemmy server, potentially compromising the entire infrastructure.
This vulnerability was publicly disclosed on 2026-03-04. Currently, there are no known active campaigns exploiting this specific CVE. No public proof-of-concept (POC) code has been released, but the SSRF nature of the vulnerability makes it relatively easy to exploit. The vulnerability is not currently listed on the CISA KEV catalog.
Lemmy instances running versions prior to 0.19.16 are at risk. This includes self-hosted instances, as well as those hosted on shared infrastructure where the server environment might be less controlled. Instances that expose internal services accessible via HTTP are particularly vulnerable.
• linux / server:
journalctl -u lemmy -f | grep "proxy="• generic web:
curl -I http://your-lemmy-instance/api/v4/image/test.jpg?file_type=image/png&proxy=http://example.comdisclosure
エクスプロイト状況
EPSS
0.05% (17% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-29178 is to upgrade Lemmy to version 0.19.16 or later, which includes a fix for the vulnerability. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file_type parameters with the proxy parameter. Additionally, review and restrict network access for the Lemmy server to minimize the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to access an external URL via the vulnerable endpoint and verifying that the request is blocked or handled securely.
Lemmyをバージョン0.19.16以降にアップデートしてください。このバージョンでは、クエリパラメータを正しく検証することで、画像エンドポイントのSSRF脆弱性を修正しています。アップデートにより、攻撃者がpict-rsへの内部リクエストに任意のパラメータを注入することを防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-29178 is a Server-Side Request Forgery vulnerability in the Lemmy lemmy_routes component, allowing attackers to make requests to internal or external resources as the Lemmy server.
You are affected if you are running Lemmy versions prior to 0.19.16. Upgrade to the latest version to mitigate the risk.
Upgrade Lemmy to version 0.19.16 or later. As a temporary workaround, implement a WAF rule to block suspicious file_type parameters.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it potentially exploitable.
Refer to the Lemmy project's official security advisories and release notes for details: [https://github.com/LemmyNet/lemmy/releases](https://github.com/LemmyNet/lemmy/releases)
Cargo.lock ファイルをアップロードすると、影響の有無を即座にお知らせします。