- Description
- LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn't properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-918
- Hype score
- Not currently trending
Lightning Network用のウォレットサーバ「LNbits」に、深刻なSSRF脆弱性(CVE-2025-32013)が発見・修正された。 LNURL認証フロー中のcallback URLの検証不備により、攻撃者が内部IPアドレス(例:localhostや192.168.0.1)を指定し、内部サービスやファイルへ不正アクセスできる恐れがあった。
@yousukezan
10 Apr 2025
744 Impressions
2 Retweets
7 Likes
1 Bookmark
1 Reply
0 Quotes
🚨 Critical CVE-2025-32013 alert: An SSRF flaw in LNbits could expose internal systems via manipulated callback URLs. CVSS 9.3. Immediate action is advised. Details: https://t.co/toBINivSyv #CyberSecurity #CVE2025 #SSRF #LNbits
@threatsbank
7 Apr 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-32013: CRITICAL] #CyberSecurity alert! LNbits, a Lightning wallet, has a vulnerability in LNURL authentication handling, allowing SSRF attacks.Unauthorized access to internal resources possible.#cybersecurity,#vulnerability https://t.co/WSeuzQvjBm https://t.co/VfAOmSeiY
@CveFindCom
7 Apr 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-32013 LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling func… https://t.co/yzJrddeT75
@CVEnew
6 Apr 2025
675 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lnbits:lnbits:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B6044020-AF79-4714-A42C-6ADC9B8B61BC",
"versionEndExcluding": "0.12.12"
}
],
"operator": "OR"
}
]
}
]