CVE-2025-32013 (GCVE-0-2025-32013)

Vulnerability from cvelistv5 – Published: 2025-04-06 20:07 – Updated: 2025-04-07 14:08

Title

Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System

Summary

LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn't properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.

Severity ?

9.3 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

https://github.com/lnbits/lnbits/security/advisor…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	lnbits	lnbits	Affected: <= 0.12.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32013",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-07T14:08:34.525626Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-07T14:08:48.776Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "lnbits",
          "vendor": "lnbits",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 0.12.12"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits\u0027 LNURL authentication handling functionality. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn\u0027t properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-06T20:07:05.624Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc"
        }
      ],
      "source": {
        "advisory": "GHSA-qp8j-p87f-c8cc",
        "discovery": "UNKNOWN"
      },
      "title": "Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-32013",
    "datePublished": "2025-04-06T20:07:05.624Z",
    "dateReserved": "2025-04-01T21:57:32.953Z",
    "dateUpdated": "2025-04-07T14:08:48.776Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System\", \"source\": {\"advisory\": \"GHSA-qp8j-p87f-c8cc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"lnbits\", \"product\": \"lnbits\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 0.12.12\"}]}], \"references\": [{\"url\": \"https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc\", \"name\": \"https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits\u0027 LNURL authentication handling functionality. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn\u0027t properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-06T20:07:05.624Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-32013\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-07T14:08:34.525626Z\"}}}], \"references\": [{\"url\": \"https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2025-04-07T14:08:24.722Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-32013\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-06T20:07:05.624Z\", \"dateReserved\": \"2025-04-01T21:57:32.953Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-04-06T20:07:05.624Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-QP8J-P87F-C8CC

Vulnerability from github – Published: 2025-04-07 16:54 – Updated: 2025-04-10 01:55

Summary

LNbits Lightning Network Payment System Vulnerable to Server-Side Request Forgery via LNURL Authentication Callback

Details

Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Description

A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. The vulnerability exists in the LNURL authentication callback process where the application makes HTTP requests to user-provided callback URLs and follows redirects without proper validation.

When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn't properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.

This vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal network locations, potentially exposing sensitive information or accessing internal services that should not be accessible from the internet.

Steps to Reproduce

Create a new wallet account to get an admin key:

curl -X POST http://target:5000/api/v1/account -d '{"name":"test"}'

Use the obtained admin key to send a crafted LNURL authentication request:

curl -X POST http://target:5000/api/v1/lnurlauth \
  -H "X-Api-Key: <admin_key>" \
  -H "Content-Type: application/json" \
  -d '{
    "callback": "http://target-internal-server/?tag=login&k1=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
    "k1": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
    "sig": "0"*128,
    "key": "0"*64
  }'

The application will make an HTTP request to the internal URL specified in the callback parameter and return its contents in the response, allowing access to internal resources that should not be accessible.

Mitigations

Implement strict URL validation for callback URLs, ensuring they only point to allowed domains and networks.
Use a whitelist of allowed domains and IP ranges for callback URLs.
Disable redirect following in HTTP requests or implement strict redirect validation.
Consider using a proxy service that restricts access to internal networks when making external HTTP requests.

Impact

This vulnerability allows authenticated attackers to access internal network resources that should not be accessible from the internet. While authentication is required to exploit this vulnerability, any user who can create a wallet gets the necessary access level. The vulnerability can be used to read internal files, access internal services, and potentially expose sensitive information from the internal network.

Disclosure Policy

This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 15 days after the fix was made available. Regardless of this disclosure process, XBOW may privately notify other affected parties as soon as we become aware of this vulnerability.

Severity ?

9.3 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lnbits"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.12.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-07T16:54:36Z",
    "nvd_published_at": "2025-04-06T20:15:15Z",
    "severity": "CRITICAL"
  },
  "details": "# Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System\n\n## Disclaimer\n\nThis vulnerability was detected using **[XBOW](https://xbow.com/)**, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.\n\n## Description\n\nA Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits\u0027 LNURL authentication handling functionality. The vulnerability exists in the LNURL authentication callback process where the application makes HTTP requests to user-provided callback URLs and follows redirects without proper validation.\n\nWhen processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn\u0027t properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.\n\nThis vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal network locations, potentially exposing sensitive information or accessing internal services that should not be accessible from the internet.\n\n## Steps to Reproduce\n\n1. Create a new wallet account to get an admin key:\n\n```\ncurl -X POST http://target:5000/api/v1/account -d \u0027{\"name\":\"test\"}\u0027\n```\n\n2. Use the obtained admin key to send a crafted LNURL authentication request:\n\n```\ncurl -X POST http://target:5000/api/v1/lnurlauth \\\n  -H \"X-Api-Key: \u003cadmin_key\u003e\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"callback\": \"http://target-internal-server/?tag=login\u0026k1=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\",\n    \"k1\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\",\n    \"sig\": \"0\"*128,\n    \"key\": \"0\"*64\n  }\u0027\n```\n\nThe application will make an HTTP request to the internal URL specified in the callback parameter and return its contents in the response, allowing access to internal resources that should not be accessible.\n\n## Mitigations\n\n- Implement strict URL validation for callback URLs, ensuring they only point to allowed domains and networks.\n- Use a whitelist of allowed domains and IP ranges for callback URLs.\n- Disable redirect following in HTTP requests or implement strict redirect validation.\n- Consider using a proxy service that restricts access to internal networks when making external HTTP requests.\n\n## Impact\n\nThis vulnerability allows authenticated attackers to access internal network resources that should not be accessible from the internet. While authentication is required to exploit this vulnerability, any user who can create a wallet gets the necessary access level. The vulnerability can be used to read internal files, access internal services, and potentially expose sensitive information from the internal network.\n\n## Disclosure Policy\n\nThis bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 15 days after the fix was made available. Regardless of this disclosure process, XBOW may privately notify other affected parties as soon as we become aware of this vulnerability.",
  "id": "GHSA-qp8j-p87f-c8cc",
  "modified": "2025-04-10T01:55:57Z",
  "published": "2025-04-07T16:54:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32013"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lnbits/lnbits"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/lnbits/PYSEC-2025-16.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LNbits Lightning Network Payment System Vulnerable to Server-Side Request Forgery via LNURL Authentication Callback"
}

PYSEC-2025-16

Vulnerability from pysec - Published: 2025-04-06 20:15 - Updated: 2025-04-09 17:27

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Impacted products

Name	purl
lnbits	pkg:pypi/lnbits

Aliases

CVE-2025-32013

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lnbits",
        "purl": "pkg:pypi/lnbits"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.10.3.dev1",
        "0.12.10",
        "0.12.11",
        "0.12.12rc1",
        "0.12.6",
        "0.12.7",
        "0.12.8",
        "0.12.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32013"
  ],
  "details": "LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits\u0027 LNURL authentication handling functionality. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn\u0027t properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.",
  "id": "PYSEC-2025-16",
  "modified": "2025-04-09T17:27:25.872691+00:00",
  "published": "2025-04-06T20:15:15+00:00",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc"
    }
  ],
  "related": [
    "GHSA-qp8j-p87f-c8cc",
    "GHSA-qp8j-p87f-c8cc"
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2025-32013

Vulnerability from fkie_nvd - Published: 2025-04-06 20:15 - Updated: 2025-04-08 18:54

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc	Exploit
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc	Exploit

Impacted products

	Vendor	Product	Version
	lnbits	lnbits	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:lnbits:lnbits:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B6044020-AF79-4714-A42C-6ADC9B8B61BC",
              "versionEndExcluding": "0.12.12",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits\u0027 LNURL authentication handling functionality. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn\u0027t properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources."
    },
    {
      "lang": "es",
      "value": "LNbits es un sistema de billetera y cuentas Lightning. Se ha descubierto una vulnerabilidad de Server-Side Request Forgery (SSRF) en la funcionalidad de gesti\u00f3n de autenticaci\u00f3n LNURL de LNbits. Al procesar solicitudes de autenticaci\u00f3n LNURL, la aplicaci\u00f3n acepta un par\u00e1metro de URL de devoluci\u00f3n de llamada y realiza una solicitud HTTP a dicha URL mediante la librer\u00eda httpx con la funci\u00f3n de redirecci\u00f3n habilitada. La aplicaci\u00f3n no valida correctamente la URL de devoluci\u00f3n de llamada, lo que permite a los atacantes especificar direcciones de red internas y acceder a recursos internos."
    }
  ],
  "id": "CVE-2025-32013",
  "lastModified": "2025-04-08T18:54:07.337",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-04-06T20:15:15.217",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-32013 (GCVE-0-2025-32013)

GHSA-QP8J-P87F-C8CC

Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System

Disclaimer

Description

Steps to Reproduce

Mitigations

Impact

Disclosure Policy

PYSEC-2025-16

FKIE_CVE-2025-32013

Tags

Sightings

Nomenclature