Moderate severityOSV Advisory· Published Dec 29, 2025· Updated Dec 29, 2025
Hemmelig has SSRF Filter bypass in Secret Request functionality
CVE-2025-69206
Description
Hemmelig is a messing app with with client-side encryption and self-destructing messages. Prior to version 7.3.3, a Server-Side Request Forgery (SSRF) filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private IP addresses but can be bypassed using DNS rebinding or open redirect services. This allows an authenticated user to make the server initiate HTTP requests to internal network resources. Version 7.3.3 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hemmelignpm | < 7.3.3 | 7.3.3 |
Affected products
2- Range: cli-v1.0.0, cli-v1.0.1, v.1.0.1, …
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-vvxf-wj5w-6gj5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-69206ghsaADVISORY
- github.com/HemmeligOrg/Hemmelig.app/commit/6c909e571d0797ee3bbd2c72e4eb767b57378228ghsax_refsource_MISCWEB
- github.com/HemmeligOrg/Hemmelig.app/security/advisories/GHSA-vvxf-wj5w-6gj5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.