Postiz versions 2.16.6 through 2.21.6 contain a Time‑of‑Check-to‑Time‑of‑Use flaw in the isSafePublicHttpsUrl() routine. The function first resolves a domain to an IP address for validation, but later fetch() calls independently resolve DNS again. This gap allows an attacker who controls a DNS server to redirect requests during the window between the check and the use, making the application reach internal network addresses through DNS rebinding. The result is that an external adversary can force the server to make requests to protected internal resources, potentially exposing sensitive data or enabling further lateral movement. The weakness maps to CWE‑918: Server‑Side Request Forgery.

GitroomHQ Postiz‑app is affected from version 2.16.6 up to, but not including, version 2.21.7. Any deployment of those releases in an environment where untrusted DNS responses can be injected is vulnerable. Version 2.21.7 and subsequent releases include a patch that removes the TOCTOU gap.

The CVSS score of 6.5 indicates a medium severity issue. While the EPSS metric is not available, the vulnerability is not recorded in the CISA KEV catalog. Likely attack vectors involve an attacker who can influence the DNS resolution for URLs processed by the application, such as by hosting a malicious domain or exploiting a misconfigured DNS resolver. Because the flaw relies on DNS rebinding, an exploit requires control over DNS responses rather than direct access to the target system. The attack bypasses all SSRF‑related URL validation paths in the affected releases, enabling unauthorized internal network access.