cbcvebase.
CVE-2025-24354
published 2025-01-27

CVE-2025-24354: imgproxy is server for resizing, processing, and converting images. Imgproxy does not block the 0.0.0.0 address, even with…

PriorityP277medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.84%
53.3th percentile
imgproxy is server for resizing, processing, and converting images. Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host. This vulnerability is fixed in 3.27.2.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comimgproxy_imgproxy>= 0 < 3.27.23.27.2
github.comimgproxy_imgproxy_v3>= 0 < 3.27.23.27.2
imgproxyimgproxy< 3.27.23.27.2

Detection & IOCsextracted from sources · hover to see the quote

url/unsafe/plain/http://{{interactsh-url}}
urlhttps://github.com/imgproxy/imgproxy/commit/3d4fed6842aa8930ec224d0ad75b0079b858e081
  • SSRF probe: send a GET request to /unsafe/plain/http://0.0.0.0/<port> on the imgproxy instance; a vulnerable server will attempt to fetch the address instead of blocking it, even when IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES=false.
  • Vulnerable version fingerprint: imgproxy versions prior to 3.27.2 are affected; patch introduces ip.IsUnspecified() check alongside the existing ip.IsLoopback() check.
  • Attack path requires network access to the imgproxy HTTP endpoint; no authentication is needed (PR:N, UI:N per CVSS).
  • ·The IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES=false configuration does NOT protect against SSRF via 0.0.0.0 in versions < 3.27.2; the setting only blocks classic loopback (127.x.x.x / ::1) addresses.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.