Skip to main content

Mealie CVE-2024-31991

LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2024-04-19 security-advisories@github.com
3.5
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.5 LOW
AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 19, 2024 - 21:15 nvd
LOW 3.5

DescriptionNVD

Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled URL to issue a request to a remote server. Based on the content of the response, it will either parse the content or disregard it. This function, nor those that call it, add any restrictions on the URL that can be provided, nor is it restricted to being an FQDN (i.e., an IP address can be provided). As this function’s return will be handled differently by its caller depending on the response, it is possible for an attacker to use this functionality to positively identify HTTP(s) servers on the local network with any IP/port combination. This issue can result in any authenticated user being able to map HTTP servers on a local network that the Mealie service has access to. Note that by default any user can create an account on a Mealie server, and that the default changeme@example.com user is available with its hard-coded password. This vulnerability is fixed in 1.4.0.

AnalysisAI

Mealie is a self hosted recipe manager and meal planner. Rated low severity (CVSS 3.5), this vulnerability is low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled URL to issue a request to a remote server. Based on the content of the response, it will either parse the content or disregard it. This function, nor those that call it, add any restrictions on the URL that can be provided, nor is it restricted to being an FQDN (i.e., an IP address can be provided). As this function’s return will be handled differently by its caller depending on the response, it is possible for an attacker to use this functionality to positively identify HTTP(s) servers on the local network with any IP/port combination. This issue can result in any authenticated user being able to map HTTP servers on a local network that the Mealie service has access to. Note that by default any user can create an account on a Mealie server, and that the default changeme@example.com user is available with its hard-coded password. This vulnerability is fixed in 1.4.0. Affected products include: Mealie. Version information: Prior to 1.4.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

More in Mealie

View all
CVE-2022-34613 CRITICAL POC
9.8 Aug 02

Mealie 1.0.0beta3 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a

CVE-2024-55073 HIGH POC
7.6 Mar 27

A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows

CVE-2022-34625 HIGH POC
7.2 Aug 02

Mealie1.0.0beta3 was discovered to contain a Server-Side Template Injection vulnerability, which allows attackers to exe

CVE-2024-31994 MEDIUM POC
6.5 Apr 19

Mealie is a self hosted recipe manager and meal planner. Rated medium severity (CVSS 6.5), this vulnerability is low att

CVE-2025-70297 MEDIUM POC
6.1 Feb 11

A stored cross-site scripting (XSS) vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1

CVE-2022-34615 CRITICAL
9.8 Aug 19

Mealie 1.0.0beta3 employs weak password requirements which allows attackers to potentially gain unauthorized access to t

CVE-2024-55072 MEDIUM POC
5.4 Mar 27

A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows

CVE-2025-70296 MEDIUM POC
5.4 Feb 11

A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticate

CVE-2022-34619 MEDIUM POC
5.4 Aug 02

A stored cross-site scripting (XSS) vulnerability in Mealie v0.5.5 allows attackers to execute arbitrary web scripts or

CVE-2022-34618 MEDIUM POC
5.4 Aug 02

A stored cross-site scripting (XSS) vulnerability in Mealie 1.0.0beta3 allows attackers to execute arbitrary web scripts

CVE-2024-55070 LOW POC
3.1 Mar 27

A Broken Object Level Authorization vulnerability in the component /households/permissions of hay-kot mealie v2.2.0 allo

CVE-2024-31992 MEDIUM
6.5 Apr 19

Mealie is a self hosted recipe manager and meal planner. Rated medium severity (CVSS 6.5), this vulnerability is remotel

Share

CVE-2024-31991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy