Skip to main content

Stoatchat

4 CVEs product

Monthly

CVE-2026-63088 HIGH PATCH This Week

Server-side request forgery in Stoatchat before 0.14.0 lets unauthenticated, network-accessible attackers reach internal services that a DNS-based IP blocklist was meant to protect. The url_is_blacklisted function validates only the first resolved address, while the underlying HTTP client iterates over all cached DNS addresses, so a hostname resolving to both an allowed and an internal/blocked IP slips past the check. No public exploit identified at time of analysis; the issue is fixed in the v0.14.0 release and was reported by VulnCheck.

SSRF Stoatchat
NVD GitHub
CVSS 4.0
7.7
CVE-2026-63306 CRITICAL PATCH Act Now

Server-side request forgery in stoatchat before 0.13.5 allows remote unauthenticated attackers to coerce the server into making arbitrary outbound requests through the /proxy and /embed endpoints, which accept attacker-supplied URLs without DNS resolution filtering or private-IP validation. Reported by VulnCheck and carrying a CVSS 4.0 score of 9.2, it lets attackers enumerate internal services, fingerprint applications, and reach cloud instance-metadata endpoints. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SSRF Stoatchat
NVD GitHub VulDB
CVSS 4.0
9.2
CVE-2025-71388 HIGH PATCH This Week

Webhook token disclosure in stoatchat (the Rust 'delta' backend of the Revolt/stoatchat platform) lets any channel member holding only ViewChannel (read) permission enumerate a channel's webhooks and read their secret tokens. Because a retrieved token authorizes posting, the attacker can then inject arbitrary messages while impersonating a bot or webhook, bypassing the channel's ManageWebhooks and posting permissions. Reported by VulnCheck and fixed in 20250210-1 (0.8.2); no public exploit identified at time of analysis.

Authentication Bypass Stoatchat
NVD GitHub
CVSS 4.0
7.6
CVE-2025-71377 HIGH PATCH This Week

Denial of service in stoatchat (delta) versions before 20250210-1 (0.8.2) lets a remote unauthenticated attacker exhaust server resources by abusing the 'nearby' message query route. A logic error passes a message limit of zero to the database, which MongoDB interprets as 'no limit', so a single crafted request downloads an entire channel's history; parallelized requests amplify this into resource-exhaustion DoS. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the upstream fix and a VulnCheck advisory are published.

Denial Of Service Stoatchat
NVD GitHub
CVSS 4.0
8.7
CVSS 7.7
HIGH PATCH This Week

Server-side request forgery in Stoatchat before 0.14.0 lets unauthenticated, network-accessible attackers reach internal services that a DNS-based IP blocklist was meant to protect. The url_is_blacklisted function validates only the first resolved address, while the underlying HTTP client iterates over all cached DNS addresses, so a hostname resolving to both an allowed and an internal/blocked IP slips past the check. No public exploit identified at time of analysis; the issue is fixed in the v0.14.0 release and was reported by VulnCheck.

SSRF Stoatchat
NVD GitHub
CVSS 9.2
CRITICAL PATCH Act Now

Server-side request forgery in stoatchat before 0.13.5 allows remote unauthenticated attackers to coerce the server into making arbitrary outbound requests through the /proxy and /embed endpoints, which accept attacker-supplied URLs without DNS resolution filtering or private-IP validation. Reported by VulnCheck and carrying a CVSS 4.0 score of 9.2, it lets attackers enumerate internal services, fingerprint applications, and reach cloud instance-metadata endpoints. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SSRF Stoatchat
NVD GitHub VulDB
CVSS 7.6
HIGH PATCH This Week

Webhook token disclosure in stoatchat (the Rust 'delta' backend of the Revolt/stoatchat platform) lets any channel member holding only ViewChannel (read) permission enumerate a channel's webhooks and read their secret tokens. Because a retrieved token authorizes posting, the attacker can then inject arbitrary messages while impersonating a bot or webhook, bypassing the channel's ManageWebhooks and posting permissions. Reported by VulnCheck and fixed in 20250210-1 (0.8.2); no public exploit identified at time of analysis.

Authentication Bypass Stoatchat
NVD GitHub
CVSS 8.7
HIGH PATCH This Week

Denial of service in stoatchat (delta) versions before 20250210-1 (0.8.2) lets a remote unauthenticated attacker exhaust server resources by abusing the 'nearby' message query route. A logic error passes a message limit of zero to the database, which MongoDB interprets as 'no limit', so a single crafted request downloads an entire channel's history; parallelized requests amplify this into resource-exhaustion DoS. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the upstream fix and a VulnCheck advisory are published.

Denial Of Service Stoatchat
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy