Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The update (PUT /webhooks/) and test (POST /webhooks/send) endpoints correctly apply @IsSafeWebhookUrl.
When a post is published, the orchestrator fetches the stored webhook URL without runtime validation, enabling blind SSRF against internal services. This issue has been patched in version 2.21.4.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Gitroom Postiz
cpe:2.3:a:gitroom:postiz:*:*:*:*:*:*:*:*
|
— |
2.21.4
|
References 3
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-wc9c-7cv8-m225
https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-wc9c-7cv8-m225
https://github.com/gitroomhq/postiz-app/commit/5ae4c950db6aa516a31454b7a45b9480…
https://github.com/gitroomhq/postiz-app/commit/5ae4c950db6aa516a31454b7a45b9480bca40a11
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.4
https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.4