CVE-2026-25123 Overview
CVE-2026-25123 is a Server-Side Request Forgery (SSRF) vulnerability in Homarr, an open-source dashboard application. Prior to version 1.52.0, the public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary URL and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF behavior and a reliable port-scanning primitive where open vs closed ports can be inferred from status codes, fetch failures, and timing differences.
Critical Impact
Unauthenticated attackers can exploit this SSRF vulnerability to probe internal network infrastructure, scan ports, and potentially access internal services that should not be externally accessible.
Affected Products
- Homarr versions prior to 1.52.0
- Homarr dashboard installations with exposed tRPC endpoints
- Self-hosted Homarr instances accessible from untrusted networks
Discovery Timeline
- 2026-02-06 - CVE-2026-25123 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25123
Vulnerability Analysis
This SSRF vulnerability (CWE-918) exists in the widget.app.ping tRPC endpoint which is publicly accessible without authentication. The endpoint accepts a user-supplied URL parameter and initiates a server-side HTTP request to that URL without proper validation or restrictions. This design flaw allows attackers to abuse the Homarr server as a proxy to reach internal network resources.
The attack surface is significant because the endpoint is unauthenticated, meaning any network-adjacent attacker can exploit this vulnerability without requiring credentials. The vulnerability enables reconnaissance capabilities including port scanning of internal infrastructure by analyzing response timing and status codes.
Root Cause
The root cause of CVE-2026-25123 is the lack of URL validation and access controls on the widget.app.ping tRPC endpoint. The endpoint performs HTTP requests to arbitrary URLs without:
- Authentication requirements for the endpoint
- URL scheme validation (allowing access to internal protocols)
- Host validation (allowing requests to internal IP ranges)
- Network segmentation enforcement
This allows user-controlled input to directly influence server-side network requests, a classic SSRF anti-pattern.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft requests to the vulnerable tRPC endpoint specifying internal URLs or IP addresses. The server then makes the request on behalf of the attacker, effectively bypassing network perimeter controls.
The response characteristics (status codes, timing, error messages) reveal information about internal services:
- Successful responses indicate open, responsive services
- Connection refused errors indicate closed ports
- Timeout differences help identify filtered vs. unreachable hosts
For technical details on the vulnerability, see the GitHub Security Advisory.
Detection Methods for CVE-2026-25123
Indicators of Compromise
- Unusual outbound HTTP requests from the Homarr server to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- High volume of requests to the widget.app.ping endpoint from external sources
- Sequential port scanning patterns in server logs targeting internal hosts
- Requests to metadata endpoints such as 169.254.169.254 (cloud instance metadata)
Detection Strategies
- Monitor network traffic for outbound requests from the Homarr server to internal network segments
- Implement alerting on requests to the widget.app.ping endpoint with internal IP addresses or localhost
- Review tRPC endpoint access logs for anomalous patterns or high-frequency requests
- Deploy web application firewall (WAF) rules to detect and block SSRF payloads
Monitoring Recommendations
- Enable verbose logging on the Homarr application to capture all tRPC endpoint requests
- Configure network monitoring to alert on Homarr server connections to internal services
- Implement egress filtering and log all outbound connections from the Homarr host
- Use SentinelOne Singularity to monitor for suspicious network behavior patterns from the application
How to Mitigate CVE-2026-25123
Immediate Actions Required
- Upgrade Homarr to version 1.52.0 or later immediately
- If immediate upgrade is not possible, restrict network access to the Homarr instance to trusted networks only
- Implement network segmentation to limit the Homarr server's access to internal resources
- Review logs for evidence of prior exploitation attempts
Patch Information
The vulnerability is fixed in Homarr version 1.52.0. Organizations should upgrade to this version or later to remediate the SSRF vulnerability. The patch addresses the lack of URL validation on the widget.app.ping endpoint. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Place the Homarr instance behind a reverse proxy with authentication requirements
- Configure firewall rules to restrict outbound connections from the Homarr server
- Use network ACLs to prevent the Homarr server from accessing sensitive internal resources
- Disable or block access to the widget.app.ping endpoint if not required for functionality
# Example: iptables rules to restrict Homarr outbound access
# Block access to internal network ranges from Homarr host
iptables -A OUTPUT -s <homarr_host_ip> -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -s <homarr_host_ip> -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -s <homarr_host_ip> -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -s <homarr_host_ip> -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
