Critical severityNVD Advisory· Published Apr 6, 2025· Updated Apr 7, 2025
Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System
CVE-2025-32013
Description
LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn't properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lnbitsPyPI | <= 0.12.12 | — |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-qp8j-p87f-c8ccghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32013ghsaADVISORY
- github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8ccghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/lnbits/PYSEC-2025-16.yamlghsaWEB
News mentions
0No linked articles in our index yet.