Headline
GHSA-j2hp-6m75-v4j4: imgproxy is vulnerable to SSRF against 0.0.0.0
Summary
Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host.
Details
imgproxy protects against SSRF against a loopback address with the following check (source):
if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() {
return ErrSourceAddressNotAllowed
}
This check is insufficient to prevent accessing services on the local host, as services may receive traffic on 0.0.0.0. Go’s IsLoopback (source) strictly follows the definition of loopback IPs beginning with 127. 0.0.0.0 is not blocked.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-24354
imgproxy is vulnerable to SSRF against 0.0.0.0
Moderate severity GitHub Reviewed Published Jan 27, 2025 in imgproxy/imgproxy • Updated Jan 27, 2025
Package
gomod github.com/imgproxy/imgproxy (Go)
Affected versions
< 3.27.2
Summary
Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host.
Details
imgproxy protects against SSRF against a loopback address with the following check (source):
if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() {
return ErrSourceAddressNotAllowed
}
This check is insufficient to prevent accessing services on the local host, as services may receive traffic on 0.0.0.0. Go’s IsLoopback (source) strictly follows the definition of loopback IPs beginning with 127. 0.0.0.0 is not blocked.
References
- GHSA-j2hp-6m75-v4j4
- https://nvd.nist.gov/vuln/detail/CVE-2025-24354
- imgproxy/imgproxy@3d4fed6
Published to the GitHub Advisory Database
Jan 27, 2025
Last updated
Jan 27, 2025