CVE-2025-24354
published 2025-01-27CVE-2025-24354: imgproxy is server for resizing, processing, and converting images. Imgproxy does not block the 0.0.0.0 address, even with…
PriorityP277medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.84%
53.3th percentile
imgproxy is server for resizing, processing, and converting images. Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host. This vulnerability is fixed in 3.27.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | imgproxy_imgproxy | >= 0 < 3.27.2 | 3.27.2 |
| github.com | imgproxy_imgproxy_v3 | >= 0 < 3.27.2 | 3.27.2 |
| imgproxy | imgproxy | < 3.27.2 | 3.27.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/unsafe/plain/http://{{interactsh-url}}
urlhttps://github.com/imgproxy/imgproxy/commit/3d4fed6842aa8930ec224d0ad75b0079b858e081
- →SSRF probe: send a GET request to /unsafe/plain/http://0.0.0.0/<port> on the imgproxy instance; a vulnerable server will attempt to fetch the address instead of blocking it, even when IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES=false. ↗
- →Vulnerable version fingerprint: imgproxy versions prior to 3.27.2 are affected; patch introduces ip.IsUnspecified() check alongside the existing ip.IsLoopback() check.
- →Attack path requires network access to the imgproxy HTTP endpoint; no authentication is needed (PR:N, UI:N per CVSS).
- ·The IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES=false configuration does NOT protect against SSRF via 0.0.0.0 in versions < 3.27.2; the setting only blocks classic loopback (127.x.x.x / ::1) addresses. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
imgproxy is vulnerable to SSRF against 0.0.0.0 in github.com/imgproxy/imgproxy
osv·2025-01-28
CVE-2025-24354 imgproxy is vulnerable to SSRF against 0.0.0.0 in github.com/imgproxy/imgproxy
imgproxy is vulnerable to SSRF against 0.0.0.0 in github.com/imgproxy/imgproxy
imgproxy is vulnerable to SSRF against 0.0.0.0 in github.com/imgproxy/imgproxy
OSV
imgproxy is vulnerable to SSRF against 0.0.0.0
osv·2025-01-27
CVE-2025-24354 [MEDIUM] imgproxy is vulnerable to SSRF against 0.0.0.0
imgproxy is vulnerable to SSRF against 0.0.0.0
### Summary
Imgproxy does not block the `0.0.0.0` address, even with `IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES` set to false. This can expose services on the local host.
### Details
imgproxy protects against SSRF against a loopback address with the following check ([source](https://github.com/imgproxy/imgproxy/blob/0f37d62fd8326a32c213b30dd52e2319770885d8/security/source.go#L43C1-L47C1)):
```
if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() {
return ErrSourceAddressNotAllowed
}
```
This check is insufficient to prevent accessing services on the local host, as services may receive traffic on `0.0.0.0`. Go's `IsLoopback` ([source](https://github.com/golang/go/blob/40b3c0e58a0ae8dec4684a009bf3806769e0fc41/src/net/ip.go#L126-L131))
GHSA
imgproxy is vulnerable to SSRF against 0.0.0.0
ghsa·2025-01-27
CVE-2025-24354 [MEDIUM] CWE-918 imgproxy is vulnerable to SSRF against 0.0.0.0
imgproxy is vulnerable to SSRF against 0.0.0.0
### Summary
Imgproxy does not block the `0.0.0.0` address, even with `IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES` set to false. This can expose services on the local host.
### Details
imgproxy protects against SSRF against a loopback address with the following check ([source](https://github.com/imgproxy/imgproxy/blob/0f37d62fd8326a32c213b30dd52e2319770885d8/security/source.go#L43C1-L47C1)):
```
if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() {
return ErrSourceAddressNotAllowed
}
```
This check is insufficient to prevent accessing services on the local host, as services may receive traffic on `0.0.0.0`. Go's `IsLoopback` ([source](https://github.com/golang/go/blob/40b3c0e58a0ae8dec4684a009bf3806769e0fc41/src/net/ip.go#L126-L131))
VulnCheck
evilmartians imgproxy Server-Side Request Forgery (SSRF)
vulncheck·2025·CVSS 5.3
CVE-2025-24354 [MEDIUM] evilmartians imgproxy Server-Side Request Forgery (SSRF)
evilmartians imgproxy Server-Side Request Forgery (SSRF)
imgproxy is server for resizing, processing, and converting images. Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host. This vulnerability is fixed in 3.27.2.
Affected: evilmartians imgproxy
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-24354
Exploit PoC: https://vulncheck.com/xdb/920e26282c22
No detection rules found.
Nuclei
Imgproxy < 3.27.2 - Server-Side Request Forgery (SSRF)
nuclei·CVSS 5.3
CVE-2025-24354 [MEDIUM] Imgproxy < 3.27.2 - Server-Side Request Forgery (SSRF)
Imgproxy < 3.27.2 - Server-Side Request Forgery (SSRF)
imgproxy contains an issue caused by not blocking the 0.0.0.0 address even when IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES is set to false, letting local services be exposed, exploit requires network access.
Template:
id: CVE-2025-24354
info:
name: Imgproxy < 3.27.2 - Server-Side Request Forgery (SSRF)
author: oksuzkayra
severity: medium
description: |
imgproxy contains an issue caused by not blocking the 0.0.0.0 address even when IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES is set to false, letting local services be exposed, exploit requires network access.
impact: |
Local services may be exposed to unauthorized access, risking information disclosure or local system compromise.
remediation: |
The vulnerability has been fixed in imgproxy
No writeups or analysis indexed.
2025-01-27
Published
Exploited in the wild