Skip to main content

Postiz CVE-2025-53641

| EUVDEUVD-2025-21168 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2025-07-11 security-advisories@github.com
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:27 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.62.3
EUVD ID Assigned
Mar 16, 2026 - 08:18 euvd
EUVD-2025-21168
Analysis Generated
Mar 16, 2026 - 08:18 vuln.today
CVE Published
Jul 11, 2025 - 18:15 nvd
HIGH 8.2

DescriptionGitHub Advisory

Postiz is an AI social media scheduling tool. From 1.45.1 to 1.62.3, the Postiz frontend application allows an attacker to inject arbitrary HTTP headers into the middleware pipeline. This flaw enables a server-side request forgery (SSRF) condition, which can be exploited to initiate unauthorized outbound requests from the server hosting the Postiz application. This vulnerability is fixed in 1.62.3.

AnalysisAI

CVE-2025-53641 is a Server-Side Request Forgery (SSRF) vulnerability in Postiz versions 1.45.1 through 1.62.2 that allows unauthenticated network attackers to inject arbitrary HTTP headers into the middleware pipeline, enabling unauthorized outbound requests from the affected server. With a CVSS score of 8.2 and network-accessible attack surface (AV:N/PR:N), this vulnerability poses significant risk to confidentiality of internal services and resources accessible from the server. The vulnerability is patched in version 1.62.3, and exploitation requires no user interaction or authentication, making it a high-priority remediation target.

Technical ContextAI

The vulnerability exists in the Postiz frontend application's HTTP middleware layer, where insufficient input validation on HTTP headers allows attackers to craft malicious header injections. This is categorized under CWE-918 (Server-Side Request Forgery), which describes a weakness where an application fetches remote resources or makes outbound requests based on attacker-controlled input without proper validation. The root cause is likely improper sanitization or whitelisting of HTTP headers before they are passed to the middleware pipeline, potentially affecting libraries handling request forwarding, proxy functionality, or internal HTTP clients. The application architecture appears to be a Node.js/JavaScript-based social media scheduling platform (Postiz is a known open-source scheduling tool) where the frontend or API layer improperly processes user-supplied headers that propagate to backend request mechanisms.

RemediationAI

IMMEDIATE: Upgrade Postiz to version 1.62.3 or later. This is a critical patch addressing the header injection flaw. INTERIM MITIGATION (if upgrade is delayed): (1) Implement strict HTTP header whitelisting at the reverse proxy/load balancer level (e.g., nginx, Apache) to strip or validate user-supplied headers before they reach Postiz; (2) Restrict outbound network access from the Postiz server using egress firewall rules, limiting connections to only necessary external APIs and services; (3) Disable or restrict access to internal service endpoints (e.g., metadata services, internal admin APIs) if they are not required; (4) Monitor outbound HTTP/HTTPS connections from the Postiz application for anomalous requests to internal IP ranges or unexpected external endpoints. LONG-TERM: Review and audit the HTTP middleware pipeline code post-patch to ensure similar header injection flaws are not present in other components; implement automated security scanning (SAST/DAST) in CI/CD to catch similar issues early.

Share

CVE-2025-53641 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy