ZDI-25-096: PostHog slack_incoming_webhook Server-Side Request Forgery Information Disclosure Vulnerability
First published: Tue Feb 25 2025(Updated: )
This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of the slack_incoming_webhook parameter. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to execute code in the context of the service account.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PostHog | ||
| PostHog |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of ZDI-25-096?
The severity of ZDI-25-096 is rated at 7.1 on the CVSS scale.
What type of attack does ZDI-25-096 allow?
ZDI-25-096 allows remote attackers to disclose sensitive information if they have authentication.
Which software is affected by ZDI-25-096?
The vulnerability ZDI-25-096 affects installations of PostHog.
Is authentication required to exploit ZDI-25-096?
Yes, authentication is required to exploit the ZDI-25-096 vulnerability.
What is the CVE associated with ZDI-25-096?
The CVE associated with ZDI-25-096 is CVE-2025-1521.
- collector/zdi-published
- source/ZDI
- alias/ZDI-CAN-25352
- agent/title
- agent/last-modified-date
- agent/source
- agent/first-publish-date
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- collector/zdi-advisory
- alias/ZDI-25-096
- alias/CVE-2025-1521
- agent/event
- vendor/posthog
- canonical/posthog