Home > Vulnerability Database > CVE-2025-32013

Mend.io Vulnerability Database

CVE-2025-32013

Date: April 6, 2025

LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn't properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.

Severity Score

7.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-32013

Url: https://github.com/pypa/advisory-database/tree/main/vulns/lnbits/PYSEC-2025-16.yaml

Url: https://github.com/lnbits/lnbits

Url: https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc

Url: https://www.mend.io/vulnerability-database/CVE-2025-32013

Severity Score

7.5

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-32013

Date: April 6, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?