Stoatchat
Monthly
Server-side request forgery in Stoatchat before 0.14.0 lets unauthenticated, network-accessible attackers reach internal services that a DNS-based IP blocklist was meant to protect. The url_is_blacklisted function validates only the first resolved address, while the underlying HTTP client iterates over all cached DNS addresses, so a hostname resolving to both an allowed and an internal/blocked IP slips past the check. No public exploit identified at time of analysis; the issue is fixed in the v0.14.0 release and was reported by VulnCheck.
Server-side request forgery in stoatchat before 0.13.5 allows remote unauthenticated attackers to coerce the server into making arbitrary outbound requests through the /proxy and /embed endpoints, which accept attacker-supplied URLs without DNS resolution filtering or private-IP validation. Reported by VulnCheck and carrying a CVSS 4.0 score of 9.2, it lets attackers enumerate internal services, fingerprint applications, and reach cloud instance-metadata endpoints. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Webhook token disclosure in stoatchat (the Rust 'delta' backend of the Revolt/stoatchat platform) lets any channel member holding only ViewChannel (read) permission enumerate a channel's webhooks and read their secret tokens. Because a retrieved token authorizes posting, the attacker can then inject arbitrary messages while impersonating a bot or webhook, bypassing the channel's ManageWebhooks and posting permissions. Reported by VulnCheck and fixed in 20250210-1 (0.8.2); no public exploit identified at time of analysis.
Denial of service in stoatchat (delta) versions before 20250210-1 (0.8.2) lets a remote unauthenticated attacker exhaust server resources by abusing the 'nearby' message query route. A logic error passes a message limit of zero to the database, which MongoDB interprets as 'no limit', so a single crafted request downloads an entire channel's history; parallelized requests amplify this into resource-exhaustion DoS. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the upstream fix and a VulnCheck advisory are published.
Server-side request forgery in Stoatchat before 0.14.0 lets unauthenticated, network-accessible attackers reach internal services that a DNS-based IP blocklist was meant to protect. The url_is_blacklisted function validates only the first resolved address, while the underlying HTTP client iterates over all cached DNS addresses, so a hostname resolving to both an allowed and an internal/blocked IP slips past the check. No public exploit identified at time of analysis; the issue is fixed in the v0.14.0 release and was reported by VulnCheck.
Server-side request forgery in stoatchat before 0.13.5 allows remote unauthenticated attackers to coerce the server into making arbitrary outbound requests through the /proxy and /embed endpoints, which accept attacker-supplied URLs without DNS resolution filtering or private-IP validation. Reported by VulnCheck and carrying a CVSS 4.0 score of 9.2, it lets attackers enumerate internal services, fingerprint applications, and reach cloud instance-metadata endpoints. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Webhook token disclosure in stoatchat (the Rust 'delta' backend of the Revolt/stoatchat platform) lets any channel member holding only ViewChannel (read) permission enumerate a channel's webhooks and read their secret tokens. Because a retrieved token authorizes posting, the attacker can then inject arbitrary messages while impersonating a bot or webhook, bypassing the channel's ManageWebhooks and posting permissions. Reported by VulnCheck and fixed in 20250210-1 (0.8.2); no public exploit identified at time of analysis.
Denial of service in stoatchat (delta) versions before 20250210-1 (0.8.2) lets a remote unauthenticated attacker exhaust server resources by abusing the 'nearby' message query route. A logic error passes a message limit of zero to the database, which MongoDB interprets as 'no limit', so a single crafted request downloads an entire channel's history; parallelized requests amplify this into resource-exhaustion DoS. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the upstream fix and a VulnCheck advisory are published.