CVE-2026-25123 Overview
Homarr is an open-source dashboard application used to aggregate self-hosted services and applications. CVE-2026-25123 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] affecting Homarr versions prior to 1.52.0. The public tRPC endpoint widget.app.ping accepts an attacker-supplied URL and performs a server-side HTTP request to that destination without authentication. Attackers can use the endpoint to send outbound HTTP requests from the Homarr server and infer open versus closed ports based on response status and timing behavior. The vendor fixed the issue in version 1.52.0.
Critical Impact
Unauthenticated attackers can pivot through the Homarr server to probe internal networks and enumerate reachable services.
Affected Products
- Homarr versions prior to 1.52.0
- Self-hosted Homarr dashboard deployments exposed to untrusted networks
- Containerized Homarr instances with network access to internal services
Discovery Timeline
- 2026-02-06 - CVE-2026-25123 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-25123
Vulnerability Analysis
The vulnerability resides in the widget.app.ping tRPC procedure exposed by the Homarr server. The procedure is reachable without authentication and accepts an arbitrary url parameter. The server then issues an outbound HTTP request to that URL and returns response metadata to the caller. Attackers control both the destination host and port of the request, which transforms the endpoint into an SSRF primitive.
The response surface leaks enough information to perform reliable port scanning. A successful TCP connection that returns an HTTP statusCode indicates the port is open and speaking HTTP. A fetch failed error or a delayed response indicates a closed port or filtered destination. Attackers can iterate this primitive across internal CIDR ranges to map services behind the Homarr host.
Root Cause
The root cause is missing authentication and missing destination validation on the widget.app.ping procedure. The endpoint does not restrict requests to allowlisted hosts. It also does not block requests to private, loopback, or link-local address ranges. Server-side fetch implementations that accept arbitrary user input require strict URL parsing and address filtering to prevent SSRF [CWE-918].
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends a crafted tRPC request to the public widget.app.ping endpoint with a target URL pointing at an internal host and port. The attacker observes the returned status code or error string to determine port state. Repeated requests across a target IP range produce a complete port map of the internal network reachable from the Homarr server. See the GitHub Security Advisory GHSA-c6rh-8wj4-gv74 for the vendor write-up.
Detection Methods for CVE-2026-25123
Indicators of Compromise
- High volume of inbound requests to the widget.app.ping tRPC route from a single source.
- Outbound connection attempts from the Homarr server to internal RFC1918 ranges or 127.0.0.1 ports not associated with normal widget activity.
- Sequential or patterned outbound HTTP requests from the Homarr process to incrementing ports or IP addresses.
Detection Strategies
- Inspect reverse proxy and web server logs for requests to widget.app.ping containing unexpected url parameters referencing internal hostnames or IP literals.
- Correlate Homarr egress traffic with internal asset inventory to identify connections that do not match configured widgets.
- Alert on outbound HTTP requests from the Homarr container or host to private address space, localhost, or cloud metadata endpoints such as 169.254.169.254.
Monitoring Recommendations
- Capture and retain reverse proxy access logs with full query parameters for tRPC endpoints.
- Forward Homarr container network telemetry into a SIEM or data lake for retrospective hunting.
- Track egress destinations from Homarr instances and baseline normal widget targets to surface anomalies.
How to Mitigate CVE-2026-25123
Immediate Actions Required
- Upgrade Homarr to version 1.52.0 or later, which removes the unauthenticated SSRF primitive.
- Restrict network access to Homarr instances behind authenticated reverse proxies or VPNs until the upgrade is applied.
- Audit egress firewall rules to deny Homarr traffic to internal management networks and cloud metadata endpoints.
Patch Information
The vendor fixed CVE-2026-25123 in Homarr 1.52.0. The advisory and remediation details are published in the GitHub Security Advisory GHSA-c6rh-8wj4-gv74. Operators running self-hosted deployments should pull the updated container image or release artifact and redeploy.
Workarounds
- Place Homarr behind an authenticating reverse proxy that blocks unauthenticated access to /api/trpc/widget.app.ping.
- Apply egress network policies that prevent the Homarr workload from initiating connections to RFC1918 ranges, loopback, and link-local addresses.
- Run Homarr in an isolated network segment with no route to sensitive internal services.
# Example egress restriction for a Homarr Docker container using iptables
# Block outbound traffic from the container to private and link-local ranges
iptables -I DOCKER-USER -s <homarr_container_ip> -d 10.0.0.0/8 -j DROP
iptables -I DOCKER-USER -s <homarr_container_ip> -d 172.16.0.0/12 -j DROP
iptables -I DOCKER-USER -s <homarr_container_ip> -d 192.168.0.0/16 -j DROP
iptables -I DOCKER-USER -s <homarr_container_ip> -d 169.254.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
