CVE-2025-32013: Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System

9.3 CVSS

Description

LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn't properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.

Classification

CVE ID: CVE-2025-32013

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-918: Server-Side Request Forgery (SSRF)

Affected Products

Vendor: lnbits

Product: lnbits

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 1.79% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32013
https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc

Timeline

2025-04-06 21:40:14 UTC
CVE

Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System
2025-04-07 17:15:23 UTC
Github Advisory Database (PIP)

[lnbits] LNbits Lightning Network Payment System Vulnerable to Server-Side Request Forgery via LNURL Authentication Callback