Impact
ntfy before 2.22.0 allows SSRF because of an unanchored regular expression for web push endpoint URLs. This weakness lets an attacker submit a crafted request that forces the server to perform arbitrary outbound HTTP requests to any target URL, potentially exposing internal resources or facilitating further attacks. The issue corresponds to the CWE‑777 category of insufficient input validation, as well as CWE‑94, which covers code execution vulnerabilities arising from unvalidated input.
Affected Systems
All ntfy installations older than version 2.22.0 are affected. The product is the open‑source notification server hosted at ntfy.sh and distributed through the ntfy project.
Risk and Exploitability
The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of < 1 % signals a low probability of real‑world exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation could involve sending a crafted request to the parseActions endpoint without requiring authentication; once triggered, the server will send arbitrary outbound HTTP requests, potentially reaching internal networks or enabling further attacks.
OpenCVE Enrichment
Github GHSA