DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-89V5-38XR-9M4J: GHSA-89V5-38XR-9M4J: Multiple Server-Side Request Forgery (SSRF) Vectors in Postiz

#security #cve #cybersecurity #ghsa

GHSA-89V5-38XR-9M4J: Multiple Server-Side Request Forgery (SSRF) Vectors in Postiz

Vulnerability ID: GHSA-89V5-38XR-9M4J
CVSS Score: Not Assigned
Published: 2026-03-27

Postiz versions prior to v2.21.2 are vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs across multiple application components. Attackers can exploit these flaws in the webhook management, RSS feed parsing, and HTML loading endpoints to force the server into making arbitrary network requests. This allows unauthorized access to internal network resources, local services, and cloud environment metadata.

TL;DR

Multiple endpoints in Postiz (< v2.21.2) fail to validate user-supplied URLs, enabling unauthenticated attackers to perform SSRF attacks against internal infrastructure and cloud metadata services. The implemented patch provides a basic blocklist but leaves the application vulnerable to DNS rebinding bypasses.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Server-Side Request Forgery (SSRF)
  • CWE ID: CWE-918
  • Attack Vector: Network
  • Authentication Required: None
  • Exploit Status: Proof of Concept (PoC) Available
  • Primary Impact: Unauthorized Internal Network Access / Credential Disclosure

Affected Systems

  • Postiz Webhooks Controller
  • Postiz Autopost Service
  • Postiz Orchestrator Activity
  • postiz-app: < 2.21.2 (Fixed in: v2.21.2)

Code Analysis

Commit: 0ad89cc

Fix Commit (Webhooks)

Commit: be5d871

Fix Commit (Autopost)

Mitigation Strategies

  • Application Patching and Upgrading
  • Network Egress Filtering
  • Implementation of SSRF-Resistant HTTP Agents

Remediation Steps:

  1. Upgrade all Postiz deployments to version v2.21.2 or later to apply the baseline protocol and IP validation checks.
  2. Configure network-layer egress filtering at the firewall or container orchestrator to explicitly deny outbound traffic to the cloud metadata address space (169.254.169.254).
  3. Implement strict zero-trust network policies that prevent the Postiz container from initiating connections to adjacent internal databases and caching systems unless explicitly required.
  4. Refactor backend HTTP clients to utilize libraries like 'request-filtering-agent' to pin resolved IP addresses and eliminate the DNS Rebinding (TOCTOU) residual risk.

References

Read the full report for GHSA-89V5-38XR-9M4J on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)