Koel
Monthly
SSRF in Koel's radio station creation endpoint (POST /api/radio/stations) allows any authenticated non-admin user to coerce the server into issuing HEAD/GET requests to arbitrary internal hosts. The root cause is a missing Laravel `bail` keyword in the URL field validation chain: the SafeUrl rule correctly rejects private/reserved addresses, but without bail, the subsequent HasAudioContentType rule still executes and makes an outbound HTTP request to the attacker-supplied URL. Vendor-released patch version 9.7.1 resolves the issue; no public exploit or CISA KEV listing exists at time of analysis.
Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SSRF in Koel's radio station creation endpoint (POST /api/radio/stations) allows any authenticated non-admin user to coerce the server into issuing HEAD/GET requests to arbitrary internal hosts. The root cause is a missing Laravel `bail` keyword in the URL field validation chain: the SafeUrl rule correctly rejects private/reserved addresses, but without bail, the subsequent HasAudioContentType rule still executes and makes an outbound HTTP request to the attacker-supplied URL. Vendor-released patch version 9.7.1 resolves the issue; no public exploit or CISA KEV listing exists at time of analysis.
Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.