The vulnerability is a server‑side request forgery that allows an attacker to force the application to retrieve a URL that initially appears valid but ultimately redirects to an internal host. Because the server reuses the initial validation without checking the final destination, it fetches the internal resource unimpeded. This flaw, classified as CWE‑918, permits unauthorized access to internal network services, potentially exposing sensitive data or allowing further internal exploitation. The attack can be performed remotely by sending a crafted request to the /api/public/stream endpoint. Affected systems include the GitRoomHQ Postiz application, versions released before 2.21.5. Any deployment of Postiz that has not applied the 2.21.5 update is vulnerable. The vulnerability applies to all installations where the /api/public/stream endpoint is exposed, regardless of user role. Risk assessment indicates a high severity score of 8.2 on CVSS, suggesting significant potential impact. The EPSS score is below 1%, implying a low probability of exploitation at this time, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a remote HTTP request that passes initial validation but follows a redirect to an internal target.

The vulnerability affects the GitRoomHQ Postiz application before version 2.21.5. Any installations using prior releases that expose the /api/public/stream endpoint are at risk. No specific platform details are available beyond the Postiz app itself.

The CVSS score of 8.2 reflects a high severity due to the potential for unauthorized internal network access. An attacker could exploit the flaw remotely by crafting a request that leverages server‑side redirects to reach internal services. The EPSS score of less than 1% suggests that the likelihood of exploitation remains low at present, and the vulnerability has not yet been listed in the CISA KEV catalog.