CVE-2025-32013

Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System

CVSS 9.3 CRITICALEPSS 0.6%CWE-918

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.3EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

06 Apr 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn't properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

lnbits · lnbits

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc