Can you explain this vulnerability to me?

CVE-2026-29178 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in LemmyNet software versions prior to 0.19.16. It affects the GET /api/v4/image/{filename} endpoint where the file_type query parameter is improperly handled.

The vulnerability arises because the file_type parameter is directly inserted into a URL used to call the pict-rs service without validation or encoding. The pict-rs service supports a proxy query parameter that allows fetching images from arbitrary URLs.

An attacker can inject crafted values into the file_type parameter containing query strings that cause pict-rs to fetch arbitrary internal or external URLs. This can be done without authentication.

For example, an attacker can make pict-rs fetch sensitive internal metadata services like AWS metadata endpoints or scan internal Docker network services. The fetched response is streamed back to the attacker via Lemmy, enabling data exfiltration.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows unauthenticated attackers to perform SSRF attacks through LemmyNet, potentially leading to several impacts:

• Access to sensitive cloud metadata services such as AWS, GCP, and Azure, which can expose credentials or configuration data.
• Scanning and interaction with internal services on the Docker network where Lemmy and pict-rs components reside, potentially revealing internal infrastructure details.
• Bypassing existing validation checks on other endpoints, increasing the attack surface.

Overall, this can lead to unauthorized data exposure, reconnaissance of internal networks, and potential further exploitation.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring requests to the vulnerable endpoint GET /api/v4/image/{filename} that include suspicious or crafted file_type query parameters containing injected query strings, especially those with proxy parameters fetching internal or external URLs.'}, {'type': 'paragraph', 'content': 'You can look for HTTP requests to the endpoint with file_type parameters that include unexpected query strings, such as: jpg?proxy=http://169.254.169.254/latest/meta-data&x='}, {'type': 'paragraph', 'content': 'Example commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find suspicious file_type parameters: grep -i 'file_type=.*proxy=' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "Using curl to test if the endpoint is vulnerable by sending a crafted request: curl -v 'http://your-lemmy-instance/api/v4/image/test.jpg?file_type=jpg?proxy=http://169.254.169.254/latest/meta-data&x='"}, {'type': 'list_item', 'content': 'Monitoring network traffic for outbound requests from pict-rs service to internal IPs or cloud metadata endpoints (e.g., 169.254.169.254) which indicate SSRF exploitation.'}] [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Lemmy to version 0.19.16 or later, where this vulnerability has been patched.

The patch includes validating the file_type parameter to allow only alphanumeric characters, preventing injection of arbitrary query parameters.

If upgrading immediately is not possible, consider implementing input validation or filtering on the file_type query parameter to reject any values containing special characters or query strings.

Additionally, monitor and restrict outbound network access from the pict-rs service to prevent it from fetching arbitrary URLs, especially internal or cloud metadata endpoints.

Useful 0 Not Useful 0