Karakeep SDK has SSRF via metascraper-logo-favicon that bypasses validateUrl protections
- Severity:
- High
Description
The metascraper-logo-favicon plugin makes HTTP requests to URLs extracted from attacker-controlled HTML without going through the application’s validateUrl() SSRF protections. This allows any authenticated user to make the server fetch arbitrary internal URLs by bookmarking a page containing a crafted <link rel="icon"> tag.
Recommendation
Update the @karakeep/sdk package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.31.0
- Patched version(s): 0.32.0
References
Related Issues
- Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection - Vulnerability
- PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled - Vulnerability
- Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering - CVE-2025-54075
- GenieACS has an unauthenticated access vulnerability via the NBI API endpoint - CVE-2025-56015
You might also like:
- Tags:
- npm
- @karakeep/sdk
Anything's wrong? Let us know Last updated on May 14, 2026