Impact
NewsBlur versions prior to 14.5.0 contain a server‑side request forgery flaw in the add_url endpoint that permits authenticated users to send requests to arbitrary URLs without proper validation of target addresses. This omission lets attackers reach internal hosts, including localhost services and cloud metadata endpoints, thereby exposing internal network scanners and sensitive data for exfiltration.
Affected Systems
All NewsBlur releases before version 14.5.0, maintained by Samuel Clay, are vulnerable. The issue was addressed in the 14.5.0 release, which includes input validation to block internal requests.
Risk and Exploitability
The CVSS score of 6.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated user; however, once authenticated the attacker can conduct internal reconnaissance and, with sufficient access, exfiltrate confidential data. The lack of a firewall or network segmentation may increase the risk of broader compromise.
OpenCVE Enrichment