CVE-2025-1522 HIGH

CVE-2025-1522: PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability

Vendor Posthog

Product PostHog

Weakness CWE-918 · SSRF

Published April 23, 2025

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the database_schema method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-25358.

Key dates

02Disclosure timeline

April 23, 2025 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-1522

Related vulnerabilities

CVE-2025-1522: PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability

01Description

02Disclosure timeline

03References

04Related CVE