CVE-2025-52186

Published: Nov 13, 2025

Modified: Nov 13, 2025

PUBLISHED

Description

Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c (2025-06-02) contains a Server-Side Request Forgery (SSRF) vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to send HTTP requests to arbitrary URLs

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://hackerone.com/reports/3165242

https://github.com/lichess-org/lila/commit/11b4c0fb00f0ffd8232346f839627005459c8f05c

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-52186

Description

Affected Products

References