CVE-2025-52186
📋 TL;DR
This SSRF vulnerability in Lichess lila allows remote attackers to force the server to make HTTP requests to arbitrary internal or external URLs via the game export API. Attackers could potentially access internal services, scan internal networks, or use the server as a proxy for attacks. All Lichess lila instances before the fixed commit are affected.
💻 Affected Systems
- Lichess lila
📦 What is this software?
Lila by Lichess
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data from internal systems, perform port scanning of internal networks, or use the server as a pivot point for further attacks against internal infrastructure.
Likely Case
Attackers could scan internal networks, access metadata services (like AWS/Azure instance metadata), or use the server to make requests to external services while appearing to originate from the Lichess server.
If Mitigated
With proper network segmentation and egress filtering, the impact would be limited to the server making unauthorized external requests, potentially causing reputation damage or being used in DDoS attacks.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and require minimal technical skill. The vulnerability is in a public API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 11b4c0fb00f0ffd823246f839627005459c8f05c or later
Vendor Advisory: https://github.com/lichess-org/lila/commit/11b4c0fb00f0ffd823246f839627005459c8f05c
Restart Required: Yes
Instructions:
1. Update to commit 11b4c0fb00f0ffd823246f839627005459c8f05c or later
2. Restart the lila service
3. Verify the fix by testing the game export API with malicious URLs
🔧 Temporary Workarounds
Disable game export API
allTemporarily disable the vulnerable game export API endpoint
Modify lila configuration to disable export API endpoints
Network egress filtering
allRestrict outbound HTTP requests from the lila server
Configure firewall to only allow necessary outbound connections from lila server
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the lila server from internal services
- Deploy a web application firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Test the game export API with a URL parameter pointing to an internal service or external monitoring serviceCheck Version:
git log --oneline -1Verify Fix Applied:
After patching, test the same SSRF payloads and verify they are rejected or sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from lila server
- Requests to internal IP addresses from lila
- Multiple failed export API requests with URL parameters
Network Indicators:
- HTTP requests from lila server to unexpected destinations
- Port scanning patterns originating from lila server
SIEM Query:
source="lila" AND (url="*export*" OR endpoint="*export*") AND (parameter="*http://*" OR parameter="*https://*")