Link unfurling calls out to arbitrary URLs and the private-network guard misses link-local addresses

Bug reported by AB was disclosed at December 22, 2025, 5:43 pm   |   Server-Side Request Forgery (SSRF)

A vulnerability was discovered in the application that allowed authenticated users to supply a URL that the server would fetch for OpenGraph data. The "private network" guard only blocked certain IP ranges, but ignored link-local addresses, enabling server-side requests to be made to those hosts. This could have potentially allowed access to internal resources, such as cloud metadata services, depending on the server's network configuration.