GHSA-7RX4-C5VX-G8W3: Server-Side Request Forgery Bypass in Karakeep Metadata Extraction Workers
Vulnerability ID: GHSA-7RX4-C5VX-G8W3
CVSS Score: 8.6
Published: 2026-05-14
A critical Server-Side Request Forgery (SSRF) vulnerability exists in the Karakeep metadata extraction process prior to version 0.32.0. The flaw allows attackers to bypass primary URL validation and target internal network resources or cloud metadata services via crafted webpage metadata.
TL;DR
Karakeep workers are vulnerable to SSRF via the metascraper-logo-favicon plugin, which autonomously probes internal network resources during HTML parsing.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-918
- Attack Vector: Network
- CVSS: 8.6 (High)
- Impact: Information Disclosure / Internal Network Access
- Exploit Status: PoC Available
- Fixed Version: v0.32.0
Affected Systems
- Karakeep Worker Processes
- metascraper-logo-favicon plugin
-
Karakeep: < 0.32.0 (Fixed in:
0.32.0)
Code Analysis
Commit: 3dc321e
Implemented metascraperSafeFavicon to prevent autonomous HTTP requests during icon verification.
Mitigation Strategies
- Upgrade Karakeep to version v0.32.0 or later.
- Implement strict network egress filtering on worker nodes to deny traffic to internal IP ranges (RFC 1918) and cloud metadata services (169.254.169.254).
- Enforce IMDSv2 in AWS environments to mitigate generic SSRF token retrieval.
Remediation Steps:
- Verify the current running version of Karakeep worker processes.
- Pull the latest Docker image or source code for release v0.32.0.
- Redeploy the worker nodes with the updated version.
- Verify that egress traffic rules block unauthorized internal access from worker processes.
References
- GHSA-7RX4-C5VX-G8W3 Security Advisory
- karakeep-app/karakeep PR #2763
- Fix Commit 3dc321e7
- Karakeep v0.32.0 Release
Read the full report for GHSA-7RX4-C5VX-G8W3 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)