Dark C0d3rs

Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2025-12-22
Full Version: HackerOne Disclosed Reports - 2025-12-22
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

hashXploiter

12-23-2025, 12:30 PM
Logo
Medium
resolved

Link unfurling calls out to arbitrary URLs and the private-network guard misses link-local addresses


Bug reported by AB was disclosed at December 22, 2025, 5:43 pm   |   Server-Side Request Forgery (SSRF)

A vulnerability was discovered in the application that allowed authenticated users to supply a URL that the server would fetch for OpenGraph data. The "private network" guard only blocked certain IP ranges, but ignored link-local addresses, enabling server-side requests to be made to those hosts. This could have potentially allowed access to internal resources, such as cloud metadata services, depending on the server's network configuration.


Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2025-12-22