Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to 5 MB) back to the caller. The SSRF protection in apps/web/src/utils/remote-http.ts (isPrivateIPv6) attempts to block private/loopback destinations, but multiple alternate-but-valid IPv6 representations bypass the check. The bypasses reach any IPv4 address (loopback, RFC1918, link-local) via IPv4-mapped IPv6 in hex form, and the canonical ::1 via any representation that isn't the literal string "::1". Any authenticated user (role: user or admin) can trigger the SSRF. On deployments configured with ALLOW_REGISTRATION=true - a supported and documented configuration - this means any internet user who can register. This issue has been patched in version 0.5.4.
AnalysisAI
Server-Side Request Forgery (SSRF) in PromptHub 0.4.9 through 0.5.3 allows authenticated users to bypass IPv6 address validation and probe internal network resources. The /api/skills/fetch-remote endpoint accepts user-supplied URLs and fetches them server-side, reflecting up to 5 MB of response data. Flawed IPv6 validation allows attackers to reach RFC1918 private networks, loopback addresses, and link-local destinations using IPv4-mapped IPv6 hex representations and alternate ::1 notations. When ALLOW_REGISTRATION=true (a documented configuration), any internet user can register and exploit this vulnerability. Vendor-released patch: version 0.5.4. EPSS data not available; no evidence of active exploitation (not in CISA KEV).
Technical ContextAI
PromptHub is a Node.js-based AI toolbox for managing prompts, skills, and agents. The vulnerability resides in apps/web/src/routes/skills.ts, which implements a server-side URL fetch feature for authenticated users. The SSRF protection function isPrivateIPv6 in apps/web/src/utils/remote-http.ts performs insufficient validation of IPv6 addresses. The CWE-20 (Improper Input Validation) classification reflects the root cause: the filter fails to normalize IPv6 addresses before comparison, allowing multiple valid representations of the same address to bypass string-matching checks. IPv4-mapped IPv6 addresses in hexadecimal form (e.g., ::ffff:7f00:1 for 127.0.0.1) and non-canonical representations of ::1 (such as 0:0:0:0:0:0:0:1) evade the blocklist. This enables authenticated attackers to proxy requests to internal services, cloud metadata endpoints (169.254.169.254), and private network resources, potentially exfiltrating sensitive data or pivoting to internal systems.
RemediationAI
Upgrade immediately to PromptHub version 0.5.4 or later, released by the vendor to address this vulnerability. Download links for patched versions: Windows x64/arm64 installers (PromptHub-Setup-0.5.4-x64.exe, PromptHub-Setup-0.5.4-arm64.exe), macOS Apple Silicon/Intel DMG files (PromptHub-0.5.4-arm64.dmg, PromptHub-0.5.4-x64.dmg), Linux AppImage and deb packages (PromptHub-0.5.4-x64.AppImage, PromptHub-0.5.4-amd64.deb) available at https://github.com/legeling/PromptHub/releases/tag/v0.5.4. For macOS users, execute 'sudo xattr -rd com.apple.quarantine /Applications/PromptHub.app' after installation to resolve Gatekeeper warnings. If immediate patching is not feasible, implement network-level egress filtering to block server outbound connections to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback addresses (127.0.0.0/8, ::1), link-local ranges (169.254.0.0/16, fe80::/10), and cloud metadata endpoints (169.254.169.254). Alternatively, disable the /api/skills/fetch-remote endpoint via reverse proxy rules or application firewall, though this eliminates the remote skill fetch functionality. For deployments with ALLOW_REGISTRATION=true, immediately disable public registration and review existing user accounts for suspicious registrations, as this configuration enabled unauthenticated internet users to create accounts and exploit the SSRF.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28504