CVE-2025-69206: hemmelig allows SSRF Filter bypass via Secret Request functionality

December 29, 2025

A Server-Side Request Forgery (SSRF) filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private IP addresses but can be bypassed using DNS rebinding (e.g., localtest.me which resolves to 127.0.0.1) or open redirect services (e.g., httpbin.org/redirect-to). This allows an authenticated user to make the server initiate HTTP requests to internal network resources.

References

github.com/HemmeligOrg/Hemmelig.app
github.com/HemmeligOrg/Hemmelig.app/commit/6c909e571d0797ee3bbd2c72e4eb767b57378228
github.com/HemmeligOrg/Hemmelig.app/security/advisories/GHSA-vvxf-wj5w-6gj5
github.com/advisories/GHSA-vvxf-wj5w-6gj5
nvd.nist.gov/vuln/detail/CVE-2025-69206

Code Behaviors & Features

Detect and mitigate CVE-2025-69206 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →