LibreY Server-Side Request Forgery (SSRF) vulnerability via wikipedia_language cookie
Description
LibreY is a fork of LibreX, a framework-less and javascript-free privacy respecting meta search engine. LibreY is subject to a Server-Side Request Forgery (SSRF) vulnerability in the engines/google/text.php and engines/duckduckgo/text.php files in versions before commit be59098abd119cda70b15bf3faac596dfd39a744. This vulnerability allows remote attackers to request the server to send HTTP GET requests to arbitrary targets and conduct Denial-of-Service (DoS) attacks via the wikipedia_language cookie. Remote attackers can request the server to download large files to reduce the performance of the server or even deny access from legitimate users. This issue has been patched in https://github.com/Ahwxorg/LibreY/pull/9. LibreY hosters are advised to use the latest commit. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreY SSRF vulnerability via wikipedia_language cookie allows attackers to send arbitrary GET requests and conduct DoS attacks.
Vulnerability
LibreY, a fork of LibreX, is a privacy-respecting meta search engine. In versions before commit be59098abd119cda70b15bf3faac596dfd39a744, the files engines/google/text.php and engines/duckduckgo/text.php contain a Server-Side Request Forgery (SSRF) vulnerability. The wikipedia_language cookie is used directly in constructing a URL for a cURL request without proper validation, allowing an attacker to control the host and path of the request [1], [2].
Exploitation
An attacker can set the wikipedia_language cookie to a value containing a slash and a hash symbol (e.g., attacker.com/#), which causes the server to send a GET request to an arbitrary target instead of the intended Wikipedia API [2]. No authentication is required, and the attacker can exploit this remotely. By requesting the server to download large files, the attacker can perform Denial-of-Service (DoS) attacks [1], [2].
Impact
Successful exploitation allows the attacker to force the LibreY server to send HTTP GET requests to any destination. This can be used to conduct DoS attacks by consuming server resources, and if the server is behind a CDN, the SSRF can disclose the original server IP, bypassing DDoS protection [2]. However, the response from the target is not returned to the attacker (blind SSRF), limiting direct information disclosure [2].
Mitigation
The vulnerability has been patched in commit be59098abd119cda70b15bf3faac596dfd39a744, which is included in Pull Request #9 [1]. LibreY hosters are advised to update to the latest commit. No known workarounds exist [1], [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Ahwxorg/LibreYv5Range: < be59098abd119cda70b15bf3faac596dfd39a744
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/Ahwxorg/LibreY/pull/9mitrex_refsource_MISC
- github.com/Ahwxorg/LibreY/security/advisories/GHSA-xfj6-4vp9-8rgcmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.