CVE-2025-53018

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-53018

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53018.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-53018

Aliases

GHSA-cpgw-wgf3-xc6v

Published

2025-06-27T13:00:14.086Z

Modified

2026-04-02T12:52:41.906810Z

Severity

3.0 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N CVSS Calculator

Summary

Lychee has Server-Side Request Forgery (SSRF) in Photo::fromUrl API via unvalidated remote image URLs

Details

Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the /api/v2/Photo::fromUrl endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose. Consequently, internal network resources—such as localhost services or cloud-provider metadata endpoints—become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue.

Database specific

{
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53018.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/lycheeorg/lychee

Affected ranges

Type: GIT
Repo: https://github.com/lycheeorg/lychee
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9dc162eefe56ce185ac1d59da42ee557933d914d

Affected versions

v4.*

v4.0.0

v4.0.0-alpha.1

v4.0.0-beta.1

v4.0.0-beta.2

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.1.0

v4.10.0

v4.11.0

v4.11.1

v4.12.0

v4.13.0

v4.2.0

v4.2.1

v4.2.2

v4.3.0

v4.3.4

v4.3.5

v4.3.6

v4.4.0

v4.5.0

v4.5.1

v4.5.2

v4.5.3

v4.6.0

v4.6.0-RC

v4.6.0-RC2

v4.6.0-RC3

v4.6.1

v4.6.1-RC1

v4.6.1-RC2

v4.6.2

v4.6.2-RC1

v4.6.2-RC2

v4.6.3-RC1

v4.6.4

v4.6.5

v4.7.0

v4.7.1

v4.7.2

v4.7.3

v4.7.4

v4.8.0

v4.8.1

v4.9.0

v4.9.1

v4.9.2

v4.9.3

v4.9.3-RC

v4.9.4

v5.*

v5.0.0

v5.0.0-beta

v5.0.1

v5.0.2

v5.0.3

v5.1.0

v5.1.1

v5.1.2

v5.2.0

v5.2.1

v5.2.2

v5.3.0

v5.3.1

v5.4.0

v5.5.0

v5.5.1

v6.*

v6.0.0

v6.0.1

v6.1.0

v6.1.1

v6.1.2

v6.2.0

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.4.0

v6.4.1

v6.4.2

v6.5.0

v6.5.1

v6.5.2

v6.5.3

v6.6.0

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.2

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53018.json"