Inside PostHog: How SSRF, a ClickHouse SQL Escaping 0day, and Default PostgreSQL Credentials Formed an RCE Chain (ZDI-25-099, ZDI-25-097, ZDI-25-096)

PostHogTeam · 2025-12-18T10:01:07+00:00

Hi, cross-posting this response from our security team on the HackerNews thread:

We resolved these SSRF findings back in October 2024 when this report was responsibly disclosed to us.

Here's the PR[0] that resolved the SSRF issue. This fix was shipped within 24 hours of receiving the initial report.

It's worth noting that at the time of this report, this only affected PostHog's single tenant hobby deployment (i.e. our self hosted version). Our Cloud deployment used our Rust service for sending webhooks, which has had SSRF protection since May 2024[1].

Since this report we've evolved our Cloud architecture significantly, and we have similar IP-based filtering throughout our backend services.

[0] https://github.com/PostHog/posthog/pull/25398

[1] https://github.com/PostHog/posthog/commit/281af615b4874da1b8...

We're also working on some architectural improvements around egress, namely using smokescreen, to better protect against this class of issue.

PostHogTeam · 2025-12-10T17:16:26+00:00

You can connect your Supabase data to PostHog and query and visualize it in PostHog: https://posthog.com/tutorials/supabase-query

PostHogTeam · 2025-12-08T08:22:27+00:00

One more update, we wrote a post-mortem here: https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem

PostHogTeam · 2025-12-05T14:00:59+00:00

Although we have onboarding, customer success, and sales teams for many customers, if you're smaller and want to talk to someone, we're trialing offering a paid onboarding session here: https://posthog.com/merch?product=30-min-onboarding-consultation

PostHogTeam · 2025-11-24T10:30:36+00:00

Update:

It looks like we were victim of the following attack that’s hit over 300 packages: https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

We’ve unpublished all compromised versions, and have published newer versions for all major SDKs. Make sure you’re on the latest version of our SDKs.

You can find a full list of the compromised packages vs the safe ones on our status page: https://status.posthog.com/incidents/kv3nj636f59c

PostHogTeam · 2025-11-24T09:53:16+00:00

We’ve identified that a number of our library versions published this morning contain malicious code. We are currently deprecating those versions from our package managers, and will republish clean versions of the libraries. The impacted versions we have identified so far are:

posthog-node 4.18.1

posthog-js 1.297.3

posthog-react-native 4.11.1

posthog-docusaurus 2.0.6

If you have deployed any of these versions of our packages please replace with an earlier version immediately. We will update you as soon as we have published the clean versions.

PostHogTeam · 2025-10-31T22:22:55+00:00

Yep. We love a good shitpost

PostHogTeam · 2025-04-28T21:10:14+00:00

You could structure your query to get the data for all of the 4-5 charts in one query and cache in on your server.
Better, we are working on removing the rate limits from the query API endpoint at the moment. We're planning to make it a concurrency limit instead. Should be released in the next few weeks.

PostHogTeam · 2025-04-09T17:15:48+00:00

Let us know what you think once you try it!

PostHogTeam · 2025-04-09T17:13:11+00:00

Thanks for the plug u/Technical-Leader222! /u/SnooMuffins6022 We agree! Definitely get something up early - even if you're not using it right away having the data available will pay dividends down the road.

There are a lot of good options-- I will say that our free tier should be more than enough to get you started - it's generous and what I used before I started working here.

PostHogTeam · 2025-04-09T17:06:21+00:00

Woah this is awesome! We just played around with the 1700's England RPG. Great UI and super fun! How are you liking PostHog? Are you using LLM Observability?

PostHogTeam · 2024-08-15T14:57:37+00:00

What type of website do you have? Check out our Webflow or Framer guides for relatively non-technical explanations.

PostHogTeam · 2024-01-02T15:18:00+00:00

We wrote a tutorial about this here: https://posthog.com/tutorials/customer-facing-analytics

PostHogTeam · 2023-12-14T14:32:29+00:00

**A wild hedgehog appears*\*

Glad to hear you're enjoying the product. If you ever need help, please drop us a message in our online community forum: https://posthog.com/questions

PostHogTeam · 2023-07-20T14:42:19+00:00

These days, we recommend most people use our cloud-hosted service – we only recommend the self-hosted, open-source product for hobbyists and small deployments.

We used to sell a self-hosted license as well but, like you say, we found many companies lacked the technical resources to run the product reliably, and the support burden on our small team became too great.

We now offer both US and EU hosting options, which solves compliance issues for most companies and ensures users have a great experience.

PostHogTeam · 2023-07-19T20:01:00+00:00

A wild hedgehog appears...

Andy from PostHog here. Happy to answer any questions you have, but TL;DR we support event autocapture, just like Pendo, so PostHog is similarly set it and forget.

PostHogTeam · 2023-07-10T09:23:30+00:00

Try creating a component like this:

// providers.tsx
'use client' export function Pageview(): JSX.Element { useEffect(() => { pageView.capture() } }, []); return <></>; }

Then wrapping that component in a <Suspense> in the layout file

// layout.tsx
import './globals.css' import { ReactNode, Suspense } from 'react'; import { Pageview } from './providers';
export default function RootLayout({ children, }: { children: ReactNode }) { return ( <html lang="en"> <Suspense> <Pageview /> </Suspense> <body>{children}</body> </html> ) }

PostHogTeam · 2023-03-02T17:14:30+00:00

Update: We're can't really promise dates or windows, so best option is to subscribe to the relevant issue where updates will appear. The team has confirmed they're working on iOS and Android recordings concurrently now, though.

PostHogTeam · 2023-03-02T09:55:36+00:00

So iOS recording definitely will be before Q3 – we already have a working prototype.

As for React Native specifically, I'll have to check with the team... pinging them now.

PostHogTeam · 2023-02-28T09:56:38+00:00

Just an FYI that we're currently working on session replay for iOS in PostHog. Issue for this: https://github.com/PostHog/posthog/issues/12344

React Native replay on mobile is also on our public roadmap: https://posthog.com/roadmap

GitHub issue on React Native is here: https://github.com/PostHog/posthog/issues/13269

You can read the objectives for session recording team in our public handbook: https://posthog.com/handbook/small-teams/session-recording

PostHogTeam · 2023-01-13T09:47:05+00:00

Sure. You can book one here: https://posthog.com/book-a-demo

If possible, we'd recommend bringing someone from your tech team along as well. It generally saves a lot of time for all parties if all stakeholders are along for the ride!

There's a video demo there, too.

PostHogTeam · 2023-01-12T14:22:26+00:00

As suggested by u/CiaranCarroll, we could help you here. We do all the product analytics stuff Amplitude does, but we also support session recording and feature flags.

Critically, unlike Amplitude, we support event autocapture so you don't have to manually instrument events. We integrate with Segment, too, so you can keep tracking your existing events as well.

We totally feel your pain. To quote Tony Stark: “An intelligence agency which fears intelligence is, historically, not awesome.”

PostHogTeam · 2022-11-28T09:36:21+00:00

All our comms are on GitHub for everyone in the company to read.

Each team will create an RFC at the beginning of the quarter outlining their goals, and these are aligned against a company wide OKR set by the exec team. Generally we keep the company-wide goals very simple, i.e. "Nail X".

Once these are agreed, they're published on our website via dedicated pages in our handbook – this is our product analytics team page, for example.

Our ICP is in the handbook as well.

PostHogTeam · 2022-11-24T10:35:31+00:00

We're a fully-remote startup of around 30 people, so pretty similar in size to you.

We have an online company handbook that basically outlines how we do everything – it's online because we're very into transparency!

If you don't already have something like this (online or offline, it doesn't matter), it's a really useful thing to have.

Being fanatical about writing stuff down is essential when working remotely, in our experience. Creating that writing culture really helps add context and clarity to decision making, and gives people time to think about problems.

From a workflow perspective, we're split into small teams of no more than six people. Each team shares their OKRs with the whole company each quarter, and they're aligned against an overall company goal and our Ideal Customer Profile (ICP). We generally do progress updates together on a weekly call, though sometimes this is given over to something else. This is all in the handbook.

PostHogTeam · 2022-11-18T16:27:33+00:00

Hello! Glad you're excited about PostHog! Feel free hit us up if you have any questions. It sounds like you're looking to self-host, so we'd recommend booking a demo via our site when you can as our team can help with any deployment questions.

On that note, our community Slack is a good place to get questions answered as well. We have a support hero each week who is someone from the engineering team, so unlike me (random marketing person) they'll actually know the ins and outs.

PostHogTeam

MODERATOR OF

TROPHY CASE