GHSA-7rx4-c5vx-g8w3: Karakeep SDK has SSRF via metascraper-logo-favicon that bypasses validateUrl protections

May 14, 2026

The metascraper-logo-favicon plugin makes HTTP requests to URLs extracted from attacker-controlled HTML without going through the application’s validateUrl() SSRF protections. This allows any authenticated user to make the server fetch arbitrary internal URLs by bookmarking a page containing a crafted <link rel="icon"> tag.

References

github.com/advisories/GHSA-7rx4-c5vx-g8w3
github.com/karakeep-app/karakeep/commit/3dc321e7d49aa3a1a2493637fb2ee21616fe5fd9
github.com/karakeep-app/karakeep/pull/2763
github.com/karakeep-app/karakeep/releases/tag/v0.32.0
github.com/karakeep-app/karakeep/security/advisories/GHSA-7rx4-c5vx-g8w3

Code Behaviors & Features

Detect and mitigate GHSA-7rx4-c5vx-g8w3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →