ntfy before 2.22.0 allows SSRF because of an unanchored regular expression for web push endpoint URLs.
The vulnerability results from the use of an unanchored regular expression (CWE-94 — improper control of code/expression) to validate or filter URLs. An unanchored regular expression allows an attacker to craft input that bypasses applied security measures and forces the server to execute an HTTP request to any address — both internal and external. The attack does not require account possession or any user interaction, and a malicious request can be sent directly over the network.
An attacker can force the ntfy server to send requests to internal infrastructure resources (e.g., cloud services, instance metadata, internal APIs), which may lead to disclosure of sensitive data, integrity violation, or unavailability of services on the internal network.
Update ntfy to version 2.22.0 or newer, available in the official repository: https://github.com/binwiederhier/ntfy/releases/tag/v2.22.0
ntfy in versions before 2.22.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N