CVE-2025-32013
📋 TL;DR
This SSRF vulnerability in LNbits allows attackers to make the server send HTTP requests to internal network resources by manipulating LNURL authentication callback URLs. Attackers can potentially access sensitive internal systems and services. All LNbits instances using vulnerable versions are affected.
💻 Affected Systems
- LNbits
📦 What is this software?
Lnbits by Lnbits
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal admin interfaces, cloud metadata services, database endpoints, or other internal systems, potentially leading to full network compromise.
Likely Case
Attackers scan and access internal services, retrieve sensitive information from internal APIs, or use the vulnerable server as a proxy for internal reconnaissance.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to the server's local network segment only.
🎯 Exploit Status
Exploitation requires LNURL authentication functionality to be enabled and accessible
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest version with fix applied
Vendor Advisory: https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc
Restart Required: Yes
Instructions:
1. Update LNbits to the latest version. 2. Restart the LNbits service. 3. Verify the fix by testing with controlled callback URLs.
🔧 Temporary Workarounds
Disable LNURL Authentication
allTemporarily disable LNURL authentication functionality until patching is possible
Configure LNbits to disable LNURL authentication in settings
Network Egress Filtering
linuxImplement firewall rules to restrict outbound HTTP/HTTPS traffic from the LNbits server
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate LNbits server from sensitive internal resources
- Deploy a web application firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Test by attempting to use LNURL authentication with a callback URL pointing to an internal service (e.g., http://localhost/admin) and observing if the request is madeCheck Version:
Check LNbits version in web interface or via API endpointVerify Fix Applied:
After patching, repeat the vulnerable test and confirm internal callback URLs are rejected or properly validated📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from LNbits server to internal IP addresses
- LNURL authentication attempts with suspicious callback URLs
Network Indicators:
- HTTP requests from LNbits server to internal network ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- Unexpected outbound traffic on ports 80/443 from the server
SIEM Query:
source="lnbits" AND (url CONTAINS "localhost" OR url CONTAINS "127.0.0.1" OR url CONTAINS "10." OR url CONTAINS "172.16." OR url CONTAINS "192.168.")