#ssrf

Microsoft has released its monthly security update for January of 2025 which includes 58 vulnerabilities, including 3 that Microsoft marked as “critical” and one marked as "moderate". The remaining vulnerabilities listed are classified as “important.”

Versions of the package hackney from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will refer the host as 127.2.2.2/. This vulnerability can be exploited when users rely on the URL function for host checking.

### Summary This vulnerability allows a user to bypass any predefined hardcoded URL path or security anti-Localhost mechanism and perform an arbitrary GET request to any Host, Port and URL using a Webfinger Request. ### Details The Webfinger endpoint takes a remote domain for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production. The library attempts to prevent Localhost access using the following mechanism (/src/config.rs): ```rust pub(crate) async fn verify_url_valid(&self, url: &Url) -> Result<(), Error> { match url.scheme() { "https" => {} "http" => { if !self.allow_http_urls { return Err(Error::UrlVerificationError( "Http urls are only allowed in debug mode", )); ...

Zimbra has released software updates to address critical security flaws in its Collaboration software that, if successfully exploited, could result in information disclosure under certain conditions. The vulnerability, tracked as CVE-2025-25064, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as an SQL injection bug in the ZimbraSync Service SOAP endpoint affecting

### Impact In mitmweb 11.1.0 and below, a malicious client can use mitmweb's proxy server (bound to `*:8080` by default) to access mitmweb's internal API (bound to `127.0.0.1:8081` by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this [SSRF](https://en.wikipedia.org/wiki/Server-side_request_forgery)-style access to remote code execution. The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The `block_global` option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network. ### Patches The vulnerability has been fixed in mitmproxy 11.1.2 and above. ### Acknowledgements We thank Stefan Grönke (@gronke) for reporting this vulnerability as part of a security audit by [Radically Open Security](https://www.radicallyopensecurity.com/). This audi...

### Summary Imgproxy does not block the `0.0.0.0` address, even with `IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES` set to false. This can expose services on the local host. ### Details imgproxy protects against SSRF against a loopback address with the following check ([source](https://github.com/imgproxy/imgproxy/blob/0f37d62fd8326a32c213b30dd52e2319770885d8/security/source.go#L43C1-L47C1)): ``` if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() { return ErrSourceAddressNotAllowed } ``` This check is insufficient to prevent accessing services on the local host, as services may receive traffic on `0.0.0.0`. Go's `IsLoopback` ([source](https://github.com/golang/go/blob/40b3c0e58a0ae8dec4684a009bf3806769e0fc41/src/net/ip.go#L126-L131)) strictly follows the definition of loopback IPs beginning with `127`. `0.0.0.0` is not blocked.

SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.

### Summary This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. ### Details The Webfinger endpoint takes a remote domain for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production. The **lookupWebFinger** function, responsible for returning an actor handler for received actor objects from a remote server, can be abused to perform a Denial of Service (DoS) and Blind SSRF attacks while attempting to resolve a malicious actor’s object. On Fedify, two client-facing functions implement the *...

### Impact Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. ### Patches c4f1e01eab0dd435709ad15463ed38a079ad6128 fixes this issue. ### Workarounds Use a local firewall to limit the network segments and hosts the service using gomatrixserverlib can access. ### References N/A

### Impact Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. ### Patches This is fixed in [MMR v1.3.8](https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8). ### Workarounds Restricting which hosts MMR is allowed to contact via (local) firewall rules or a transparent proxy. ### References https://owasp.org/www-community/attacks/Server_Side_Request_Forgery https://learn.snyk.io/lesson/ssrf-server-side-request-forgery/ https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang