LibreY Server-Side Request Forgery (SSRF) vulnerability in image_proxy.php
Description
LibreY is a fork of LibreX, a framework-less and javascript-free privacy respecting meta search engine. LibreY is subject to a Server-Side Request Forgery (SSRF) vulnerability in the image_proxy.php file of LibreY before commit 8f9b9803f231e2954e5b49987a532d28fe50a627. This vulnerability allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service (DoS) attacks via the url parameter. Remote attackers can use the server as a proxy to send HTTP GET requests and retrieve information in the internal network. Remote attackers can also request the server to download large files or chain requests among multiple instances to reduce the performance of the server or even deny access from legitimate users. This issue has been addressed in https://github.com/Ahwxorg/LibreY/pull/31. LibreY hosters are advised to use the latest commit. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreY before commit 8f9b9803 is vulnerable to SSRF via a flaw in get_root_domain() in image_proxy.php, allowing internal network probing and DoS.
Vulnerability
LibreY, a fork of LibreX privacy-respecting meta search engine, contains a Server-Side Request Forgery (SSRF) vulnerability in image_proxy.php prior to commit 8f9b9803f231e2954e5b49987a532d28fe50a627. The flaw resides in the get_root_domain() function in misc/tools.php, which incorrectly parses the domain from a user-supplied url parameter, bypassing the intended domain allowlist (which only permits qwant.com, wikimedia.org, and a configured Invidious instance). This allows an attacker to force the server to make HTTP GET requests to arbitrary external or internal destinations.
Exploitation
An attacker can send a crafted HTTP GET request to image_proxy.php with a malicious url parameter (e.g., http://internal-service/). The server will then issue an HTTP GET request to that target, using the server's network position. No authentication is required, and no user interaction is needed beyond the initial request. The attacker can also set the url to a very large file or chain requests across multiple LibreY instances to consume server resources.
Impact
On success, an attacker can probe internal network services reachable from the LibreY server, potentially retrieving sensitive information from internal hosts (information disclosure). Additionally, by requesting large files or orchestrating multiple requests, the attacker can degrade server performance or cause a denial-of-service condition, making the search service unavailable to legitimate users.
Mitigation
The vulnerability is fixed in commit 8f9b9803f231e2954e5b49987a532d28fe50a627 (pull request #31) [1][2]. LibreY hosters are advised to update to the latest commit immediately. There are no known workarounds other than applying the patch.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Ahwxorg/LibreYv5Range: < 8f9b9803f231e2954e5b49987a532d28fe50a627
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/Ahwxorg/LibreY/pull/31mitrex_refsource_MISC
- github.com/Ahwxorg/LibreY/security/advisories/GHSA-p4f9-h8x8-mpwfmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.