Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/lnbits@0.12.6

Type pypi

Namespace

Name lnbits

Version 0.12.6

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.12.12

Latest_non_vulnerable_version 0.12.12

Affected_by_vulnerabilities

url VCID-67ee-6hu6-mue1

vulnerability_id VCID-67ee-6hu6-mue1

summary LNbits is a Lightning wallet and accounts system. A Server-Side Request Forgery (SSRF) vulnerability has been discovered in LNbits' LNURL authentication handling functionality. When processing LNURL authentication requests, the application accepts a callback URL parameter and makes an HTTP request to that URL using the httpx library with redirect following enabled. The application doesn't properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.

references

reference_url

https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://github.com/lnbits/lnbits/security/advisories/GHSA-qp8j-p87f-c8cc

fixed_packages

url	pkg:pypi/lnbits@0.12.12
purl	pkg:pypi/lnbits@0.12.12
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/lnbits@0.12.12

aliases CVE-2025-32013, PYSEC-2025-16

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-67ee-6hu6-mue1

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lnbits@0.12.6

Package Instance