Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit cefeb6da1828 · 2026-03-27T15:48:49.000Z
GHSA-89v5-38xr-9m4j GHSA-vj2p-7pgw-g2wf
diff --git a/advisories/github-reviewed/2026/03/GHSA-89v5-38xr-9m4j/GHSA-89v5-38xr-9m4j.json b/advisories/github-reviewed/2026/03/GHSA-89v5-38xr-9m4j/GHSA-89v5-38xr-9m4j.json
@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-89v5-38xr-9m4j",
+  "modified": "2026-03-27T15:47:57Z",
+  "published": "2026-03-27T15:47:57Z",
+  "aliases": [],
+  "summary": "Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader",
+  "details": "## Summary\n\nPostiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection.\n\n## Vulnerable Code\n\n### 1. Webhook Send Endpoint (Most Critical)\n\n**`apps/backend/src/api/routes/webhooks.controller.ts` lines 58-70:**\n```typescript\nasync sendWebhook(@Body() body: any, @Query('url') url: string) {\n  try {\n    await fetch(url, {  // No URL validation\n      method: 'POST',\n      body: JSON.stringify(body),\n      headers: { 'Content-Type': 'application/json' },\n    });\n  } catch (err) { }\n  return { send: true };\n}\n```\n\nAccepts arbitrary URL via query parameter and fetches directly.\n\n### 2. Stored Webhook Delivery\n\n**`apps/orchestrator/src/activities/post.activity.ts` lines 256-281:**\n```typescript\nasync sendWebhooks(postId: string, orgId: string, integrationId: string) {\n  const webhooks = await this._webhookService.getWebhooks(orgId);\n  return Promise.all(\n    webhooks.map(async (webhook) => {\n      await fetch(webhook.url, {  // Stored URL, no validation\n        method: 'POST',\n        body: JSON.stringify(post),\n      });\n    })\n  );\n}\n```\n\n### 3. RSS/XML Feed Parser\n\n**`libraries/nestjs-libraries/src/database/prisma/autopost/autopost.service.ts` line 135:**\n```typescript\nasync loadXML(url: string) {\n  const { items } = await parser.parseURL(url);  // No URL validation\n}\n```\n\n### 4. HTML Content Loader\n\n**`libraries/nestjs-libraries/src/database/prisma/autopost/autopost.service.ts` line 185:**\n```typescript\nasync loadUrl(url: string) {\n  const loadDom = new JSDOM(await (await fetch(url)).text());  // No validation\n}\n```\n\n## Missing Protections\n\n- No `request-filtering-agent` or SSRF library\n- No private IP range filtering\n- No cloud metadata endpoint blocking\n- No DNS rebinding protection\n- URL validation only via `@IsUrl()` decorator (format only, no IP check)\n\n## Attack Scenarios\n\n1. `POST /webhooks/send?url=http://169.254.169.254/latest/meta-data/` → AWS metadata theft\n2. `POST /autopost/send?url=http://127.0.0.1:6379` → Internal Redis access\n3. Create webhook with `http://10.0.0.1:8080/admin` → Internal service access on post publish\n\n## Impact\n\n- **Cloud metadata theft**: AWS/GCP/Azure credentials\n- **Internal network scanning**: Full access to private IP ranges\n- **Multiple entry points**: Webhooks, RSS feeds, URL loader all vulnerable",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "postiz"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.0.12"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-89v5-38xr-9m4j"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gitroomhq/postiz-app/commit/0ad89ccd26b1c387c4f3f3544b18c20d33586466"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gitroomhq/postiz-app/commit/be5d871896e97cb1f5a2c9241f156b6a1e1debe8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/gitroomhq/postiz-app"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-27T15:47:57Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-vj2p-7pgw-g2wf/GHSA-vj2p-7pgw-g2wf.json b/advisories/github-reviewed/2026/03/GHSA-vj2p-7pgw-g2wf/GHSA-vj2p-7pgw-g2wf.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vj2p-7pgw-g2wf",
+  "modified": "2026-03-27T15:46:53Z",
+  "published": "2026-03-27T15:46:53Z",
+  "aliases": [],
+  "summary": "Postiz App has a High-Severity SSRF Vulnerability via Next.js",
+  "details": "### Impact\nA successful SSRF attack allows an attacker to:\n- Bypass firewalls to scan and interact with internal network services/ports.\n- Access sensitive cloud metadata services (e.g., AWS IMDS 169.254.169.254) to potentially leak instance credentials.\n- Pivot into the internal network environment where Postiz is hosted.\n\n### Workarounds\nThere are no workarounds known to this, please upgrade to Postiz version `v2.21.1`.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "postiz"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.0.12"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-vj2p-7pgw-g2wf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34351"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/gitroomhq/postiz-app"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1395",
+      "CWE-918"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-27T15:46:53Z",
+    "nvd_published_at": null
+  }
+}
