GHSA-j2hp-6m75-v4j4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j2hp-6m75-v4j4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-j2hp-6m75-v4j4/GHSA-j2hp-6m75-v4j4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-j2hp-6m75-v4j4
- Aliases
- Published
- 2025-01-27T20:50:21Z
- Modified
- 2025-01-28T15:41:50.479958Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- imgproxy is vulnerable to SSRF against 0.0.0.0
- Details
-
Summary
Imgproxy does not block the
0.0.0.0address, even withIMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSESset to false. This can expose services on the local host.Details
imgproxy protects against SSRF against a loopback address with the following check (source):
if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() { return ErrSourceAddressNotAllowed }This check is insufficient to prevent accessing services on the local host, as services may receive traffic on
0.0.0.0. Go'sIsLoopback(source) strictly follows the definition of loopback IPs beginning with127.0.0.0.0is not blocked. - Database specific
{ "nvd_published_at": "2025-01-27T18:15:41Z", "cwe_ids": [ "CWE-918" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-01-27T20:50:21Z" }- References
Affected packages
Go / github.com/imgproxy/imgproxy
Package
- Name
- github.com/imgproxy/imgproxy
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/imgproxy/imgproxy