Kallithea Security Notice

Server-side Request Forgery (SSRF)


A vulnerability has been found in git, which also can be triggered through the Kallithea UI. An attacker could make Kallithea execute a 'git clone' with a specially crafted URL, which allows them to send arbitrary packets into the local network accessible from the server.


Please find more details on the reporter's website [2]

Thanks to stypr of Flatt Security for reporting this vulnerability.

Resolution / Affected versions

While the issue is actually in the git client, a mitigation is added to Kallithea release 0.6.3. Users are advised to upgrade as soon as possible.

To our knowledge, no git version with a fix of the root cause has been released.


  1. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/a8a51a3bdb6181e498a862f84eb2d50928330a68

  2. Blog post by the reporter (stypr) https://blog.harold.kim/2020/11/invalid-url-on-git-clone-leading-to-ssrf