CVE-2025-69206 MEDIUM

CVE-2025-69206: Hemmelig has SSRF Filter bypass in Secret Request functionality

Vendor Hemmeligorg

Product Hemmelig.app

Weakness CWE-918 · SSRF

Published December 29, 2025

Last update December 29, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Hemmelig is a messing app with with client-side encryption and self-destructing messages. Prior to version 7.3.3, a Server-Side Request Forgery (SSRF) filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private IP addresses but can be bypassed using DNS rebinding or open redirect services. This allows an authenticated user to make the server initiate HTTP requests to internal network resources. Version 7.3.3 contains a patch for the issue.

Key dates

02Disclosure timeline

December 29, 2025 CVE published

December 29, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-69206 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

CVE-2025-69206: Hemmelig has SSRF Filter bypass in Secret Request functionality

01Description

02Disclosure timeline

03References

04Related CVE