ghsa-j2hp-6m75-v4j4
Vulnerability from github
Published
2025-01-27 20:50
Modified
2025-01-27 20:50
Severity ?
Summary
imgproxy is vulnerable to SSRF against 0.0.0.0
Details
Summary
Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host.
Details
imgproxy protects against SSRF against a loopback address with the following check (source):
if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() {
return ErrSourceAddressNotAllowed
}
This check is insufficient to prevent accessing services on the local host, as services may receive traffic on 0.0.0.0. Go's IsLoopback (source) strictly follows the definition of loopback IPs beginning with 127. 0.0.0.0 is not blocked.
{ affected: [ { package: { ecosystem: "Go", name: "github.com/imgproxy/imgproxy", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "3.27.2", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2025-24354", ], database_specific: { cwe_ids: [ "CWE-918", ], github_reviewed: true, github_reviewed_at: "2025-01-27T20:50:21Z", nvd_published_at: "2025-01-27T18:15:41Z", severity: "MODERATE", }, details: "### Summary\n\nImgproxy does not block the `0.0.0.0` address, even with `IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES` set to false. This can expose services on the local host.\n\n### Details\n\nimgproxy protects against SSRF against a loopback address with the following check ([source](https://github.com/imgproxy/imgproxy/blob/0f37d62fd8326a32c213b30dd52e2319770885d8/security/source.go#L43C1-L47C1)):\n\n```\nif !config.AllowLoopbackSourceAddresses && ip.IsLoopback() {\n\treturn ErrSourceAddressNotAllowed\n}\n```\n\nThis check is insufficient to prevent accessing services on the local host, as services may receive traffic on `0.0.0.0`. Go's `IsLoopback` ([source](https://github.com/golang/go/blob/40b3c0e58a0ae8dec4684a009bf3806769e0fc41/src/net/ip.go#L126-L131)) strictly follows the definition of loopback IPs beginning with `127`. `0.0.0.0` is not blocked.", id: "GHSA-j2hp-6m75-v4j4", modified: "2025-01-27T20:50:21Z", published: "2025-01-27T20:50:21Z", references: [ { type: "WEB", url: "https://github.com/imgproxy/imgproxy/security/advisories/GHSA-j2hp-6m75-v4j4", }, { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2025-24354", }, { type: "WEB", url: "https://github.com/imgproxy/imgproxy/commit/3d4fed6842aa8930ec224d0ad75b0079b858e081", }, { type: "PACKAGE", url: "https://github.com/imgproxy/imgproxy", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", type: "CVSS_V3", }, ], summary: "imgproxy is vulnerable to SSRF against 0.0.0.0", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.