ghsa-j2hp-6m75-v4j4
Vulnerability from github
Published
2025-01-27 20:50
Modified
2025-01-27 20:50
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
imgproxy is vulnerable to SSRF against 0.0.0.0
Details

Summary

Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host.

Details

imgproxy protects against SSRF against a loopback address with the following check (source):

if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() { return ErrSourceAddressNotAllowed }

This check is insufficient to prevent accessing services on the local host, as services may receive traffic on 0.0.0.0. Go's IsLoopback (source) strictly follows the definition of loopback IPs beginning with 127. 0.0.0.0 is not blocked.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/imgproxy/imgproxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.27.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-27T20:50:21Z",
    "nvd_published_at": "2025-01-27T18:15:41Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nImgproxy does not block the `0.0.0.0` address, even with `IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES` set to false. This can expose services on the local host.\n\n### Details\n\nimgproxy protects against SSRF against a loopback address with the following check ([source](https://github.com/imgproxy/imgproxy/blob/0f37d62fd8326a32c213b30dd52e2319770885d8/security/source.go#L43C1-L47C1)):\n\n```\nif !config.AllowLoopbackSourceAddresses \u0026\u0026 ip.IsLoopback() {\n\treturn ErrSourceAddressNotAllowed\n}\n```\n\nThis check is insufficient to prevent accessing services on the local host, as services may receive traffic on `0.0.0.0`. Go\u0027s `IsLoopback` ([source](https://github.com/golang/go/blob/40b3c0e58a0ae8dec4684a009bf3806769e0fc41/src/net/ip.go#L126-L131)) strictly follows the definition of loopback IPs beginning with `127`. `0.0.0.0` is not blocked.",
  "id": "GHSA-j2hp-6m75-v4j4",
  "modified": "2025-01-27T20:50:21Z",
  "published": "2025-01-27T20:50:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/imgproxy/imgproxy/security/advisories/GHSA-j2hp-6m75-v4j4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24354"
    },
    {
      "type": "WEB",
      "url": "https://github.com/imgproxy/imgproxy/commit/3d4fed6842aa8930ec224d0ad75b0079b858e081"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/imgproxy/imgproxy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "imgproxy is vulnerable to SSRF against 0.0.0.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.