Description

Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c (2025-06-02) contains a Server-Side Request Forgery (SSRF) vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to send HTTP requests to arbitrary URLs

INFO

Published Date :

2025-11-13T00:00:00.000Z

Last Modified :

2025-11-13T17:18:04.870Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-52186 vulnerability.

Vendors Products
Lichess
  • Lila
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-52186.

URL Resource
https://github.com/lichess-org/lila/commit/11b4c0fb00f0ffd8232346f839627005459c8f05c cve-icon cve-icon
https://hackerone.com/reports/3165242 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact