Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4.
AnalysisAI
Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from internal services by updating links to private IP addresses, exposing cloud credentials and internal service metadata. The links:check cron job executes requests without IP filtering, enabling attackers to probe AWS IMDSv1, cloud metadata endpoints, and internal APIs. The vulnerability requires authentication but operates over the network with low complexity, affecting all installations running versions before 2.5.4. No public exploit code or confirmed active exploitation has been identified at time of analysis.
Technical ContextAI
LinkAce's LinkRepository::update and CheckLinksCommand::checkLink functions perform server-side HTTP requests to validate and check links without validating target IP addresses against private IP ranges (RFC 1918, RFC 5735, link-local, loopback). The vulnerability is rooted in CWE-918 (Server-Side Request Forgery), a classic web application flaw where user-controlled input is used in server-initiated requests without proper allowlist or blocklist validation. An authenticated user can initially create a link with a public URL (passing any validation), then update it to target private IPs such as 169.254.169.254 (AWS IMDSv1), 127.0.0.1, or internal service IPs. When the links:check cron job executes periodically, it fetches and processes responses from these internal endpoints server-side, allowing the attacker to read the response content through the application's response handling. This is particularly dangerous in cloud-hosted deployments where metadata services expose temporary credentials and configuration data.
RemediationAI
Upgrade LinkAce to version 2.5.4 or later immediately, as the vendor has released a patched version that implements IP address validation in the LinkRepository::update and CheckLinksCommand::checkLink functions. The fix prevents requests to private IP ranges (RFC 1918, loopback, link-local, and other reserved ranges). After upgrading, verify that the links:check cron job is functioning correctly to ensure the fix is active in your environment. For organizations unable to upgrade immediately, disable or restrict the links:check cron job to prevent server-side requests, and limit link creation/update permissions to trusted users only as a temporary mitigation. Refer to the GitHub security advisory at https://github.com/Kovah/LinkAce/security/advisories/GHSA-4jhm-r4f5-p7xm for comprehensive patch details and additional recommendations.
LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel
LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulner
LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel
Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit
LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vuln
Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persist
Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass
Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attacker
Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad
Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes
LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared li
LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19682