Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1yNmpnLWpmdjYtMmZqds4ABDcU

Matrix Media Repo (MMR) allows Server-Side Request Forgery (SSRF) on redirects and federation

Impact

Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.

Patches

This is fixed in MMR v1.3.8.

Workarounds

Restricting which hosts MMR is allowed to contact via (local) firewall rules or a transparent proxy.

References

https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
https://learn.snyk.io/lesson/ssrf-server-side-request-forgery/
https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang

Permalink: https://github.com/advisories/GHSA-r6jg-jfv6-2fjv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yNmpnLWpmdjYtMmZqds4ABDcU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 1 day ago
Updated: about 1 hour ago

CVSS Score: 5.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

EPSS Percentage: 0.00062
EPSS Percentile: 0.28715

Identifiers: GHSA-r6jg-jfv6-2fjv, CVE-2024-52602
References:

• https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-r6jg-jfv6-2fjv
• https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8
• https://nvd.nist.gov/vuln/detail/CVE-2024-52602
• https://learn.snyk.io/lesson/ssrf-server-side-request-forgery
• https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
• https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang
• https://pkg.go.dev/vuln/GO-2025-3399
• https://github.com/advisories/GHSA-r6jg-jfv6-2fjv

Repository: https://github.com/t2bot/matrix-media-repo
Blast Radius: 1.0

Affected Packages