CVE-2025-24354

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-24354
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24354.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-24354
Aliases
Related
Published
2025-01-27T18:15:41Z
Modified
2025-01-28T15:41:50.479958Z
Summary
[none]
Details

imgproxy is server for resizing, processing, and converting images. Imgproxy does not block the 0.0.0.0 address, even with IMGPROXYALLOWLOOPBACKSOURCEADDRESSES set to false. This can expose services on the local host. This vulnerability is fixed in 3.27.2.

References

Affected packages

Git / github.com/imgproxy/imgproxy

Affected ranges

Type
GIT
Repo
https://github.com/imgproxy/imgproxy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3d4fed6842aa8930ec224d0ad75b0079b858e081

Affected versions

v1.*

v1.0
v1.1
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.5.1
v1.1.6
v1.1.7
v1.1.8

v2.*

v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.0.beta1
v2.1.0.beta2
v2.1.0.rc1
v2.1.0.rc2
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.10.0
v2.10.1
v2.11.0
v2.12.0
v2.13.0
v2.13.1
v2.14.0
v2.14.1
v2.15.0
v2.16.0
v2.16.1
v2.16.2
v2.16.3
v2.16.4
v2.16.5
v2.16.6
v2.16.7
v2.17.0
v2.2.0
v2.2.0.rc1
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.2
v2.2.2.beta1
v2.2.2.beta2
v2.2.2.beta3
v2.2.2.beta4
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.3.0
v2.4.0
v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.8.0
v2.8.1
v2.8.2
v2.9.0

v3.*

v3.0.0
v3.0.0.beta1
v3.0.0.beta2
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.10.0
v3.11.0
v3.12.0
v3.13.0
v3.13.1
v3.13.2
v3.14.0
v3.15.0
v3.16.0
v3.16.1
v3.17.0
v3.18.0
v3.18.1
v3.18.2
v3.19.0
v3.2.0
v3.2.1
v3.2.2
v3.20.0
v3.21.0
v3.22.0
v3.23.0
v3.24.0
v3.24.1
v3.25.0
v3.26.0
v3.26.1
v3.27.0
v3.27.1
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.4.0
v3.5.0
v3.5.1
v3.6.0
v3.7.0
v3.7.1
v3.7.2
v3.8.0
v3.9.0