CVE-2025-53641

Published: Jul 11, 2025Modified: Jul 15, 2025

8.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Exploitability: 3.9 / Impact: 4.2

Source: security-advisories@github.com (Secondary)

Description

Postiz is an AI social media scheduling tool. From 1.45.1 to 1.62.3, the Postiz frontend application allows an attacker to inject arbitrary HTTP headers into the middleware pipeline. This flaw enables a server-side request forgery (SSRF) condition, which can be exploited to initiate unauthorized outbound requests from the server hosting the Postiz application. This vulnerability is fixed in 1.62.3.

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://github.com/gitroomhq/postiz-app/commit/65eca0e2f22155b43c78724ca43617ee52e42753

Source: security-advisories@github.com

https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-48c8-25jq-m55f

Source: security-advisories@github.com

Timeline

No history available yet.