CVE-2026-33644
SSRF Bypass via DNS Rebinding in Lychee PhotoUrlRule.php
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lycheeorg | lychee | to 7.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33644 is a Server-Side Request Forgery (SSRF) vulnerability in the Lychee photo management application prior to version 7.5.2. The issue arises because the application attempts to block requests to private or reserved IP addresses only when the hostname is directly an IP address. If a domain name is used instead, the IP validation check is bypassed due to the way the code uses PHP's filter_var function, which returns false for hostnames, skipping the private IP check.
This allows an attacker to use DNS rebinding techniques by supplying a hostname that resolves to an internal or localhost IP address, thereby bypassing the SSRF protections. An authenticated user can exploit this by sending a URL with a DNS name that resolves to internal IPs, causing the server to make requests to internal services that should normally be inaccessible.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user to perform SSRF attacks against internal HTTP services that are normally inaccessible from outside the network. By exploiting DNS rebinding, an attacker can cause the server to make requests to internal IP addresses, including localhost and cloud metadata endpoints.
The impact includes potential exposure of sensitive information or internal infrastructure details, as the attacker can access internal services through the vulnerable photo import functionality. Although the CVSS score rates this as a low severity issue, it still poses a risk to confidentiality by enabling unauthorized internal network access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SSRF vulnerability involves monitoring for requests to the Lychee photo management application's endpoint that import photos via URLs, especially POST requests to `/api/v2/Photo::fromUrl` containing URLs with hostnames that resolve to internal, private, or localhost IP addresses.
Since the vulnerability exploits DNS rebinding by using hostnames that resolve to private or reserved IPs, you can detect suspicious activity by resolving hostnames used in photo import URLs and checking if they map to private or localhost IP ranges.
Suggested commands to detect such activity include:
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outgoing HTTP requests from the Lychee server to internal IP ranges.
- Extract hostnames from logs or intercepted requests and resolve them using commands like `dig` or `nslookup` to check if they resolve to private or localhost IPs.
- Example command to resolve a hostname and check its IPs: `dig +short example-hostname.com` or `nslookup example-hostname.com`.
- Check application logs for POST requests to `/api/v2/Photo::fromUrl` with suspicious URLs.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the Lychee photo management application to version 7.5.2 or later, where the vulnerability is patched.
The patch improves hostname resolution and validation by resolving hostnames to their IP addresses and blocking URLs that resolve to private, reserved, or localhost IP addresses, preventing DNS rebinding attacks.
If upgrading immediately is not possible, consider the following temporary mitigations:
- Restrict network access from the Lychee server to internal IP ranges to prevent SSRF exploitation.
- Configure firewall rules to block outgoing requests to private, reserved, and localhost IP ranges.
- Disable or restrict the photo import via URL feature if feasible.
- Monitor and audit application logs for suspicious requests attempting to exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to perform Server-Side Request Forgery (SSRF) attacks that can access internal HTTP services, potentially exposing sensitive information or internal infrastructure.
Such unauthorized access to internal services and sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
By enabling attackers to bypass IP validation and access internal resources, the vulnerability increases the risk of data breaches and unauthorized data exposure, which are critical compliance concerns under these standards.
The fix implemented in version 7.5.2 mitigates this risk by properly resolving hostnames to IP addresses and blocking requests to private, reserved, or localhost IPs, thereby helping maintain compliance with security requirements of such regulations.