CVE-2025-52186

MEDIUM

lichess/lila < 2025-06-02 - Server-Side Request Forgery via Game Export API Players Parameter

Title source: llm

Description

Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c (2025-06-02) contains a Server-Side Request Forgery (SSRF) vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to send HTTP requests to arbitrary URLs

References (2)

Core 2

Core References

Broken Link

https://github.com/lichess-org/lila/commit/11b4c0fb00f0ffd8232346f839627005459c8f05c

Exploit, Issue Tracking

https://hackerone.com/reports/3165242

Scores

CVSS v3 6.5

EPSS 0.0028

EPSS Percentile 19.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (1)

lichess/lila < 2025-06-02

Published Nov 13, 2025

Tracked Since Feb 18, 2026