CVE-2025-69206

MEDIUM

Hemmelig < 7.3.3 - Authenticated Server-Side Request Forgery via Secret Requests Webhook URL Validation Bypass

Title source: llm

Description

Hemmelig is a messing app with with client-side encryption and self-destructing messages. Prior to version 7.3.3, a Server-Side Request Forgery (SSRF) filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private IP addresses but can be bypassed using DNS rebinding or open redirect services. This allows an authenticated user to make the server initiate HTTP requests to internal network resources. Version 7.3.3 contains a patch for the issue.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/HemmeligOrg/Hemmelig.app/security/advisories/GHSA-vvxf-wj5w-6gj5

Patch x_refsource_misc

https://github.com/HemmeligOrg/Hemmelig.app/commit/6c909e571d0797ee3bbd2c72e4eb767b57378228

View Patch ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0001

EPSS Percentile 1.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

hemmelig/hemmelig < 7.3.3

npm/hemmelig 0 - 7.3.3npm

Published Dec 29, 2025

Tracked Since Feb 18, 2026