Medium
resolved
resolved
Link unfurling calls out to arbitrary URLs and the private-network guard misses link-local addresses
Bug reported by AB was disclosed at December 22, 2025, 5:43 pm | Server-Side Request Forgery (SSRF)
A vulnerability was discovered in the application that allowed authenticated users to supply a URL that the server would fetch for OpenGraph data. The "private network" guard only blocked certain IP ranges, but ignored link-local addresses, enabling server-side requests to be made to those hosts. This could have potentially allowed access to internal resources, such as cloud metadata services, depending on the server's network configuration.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
