Server-side Request Forgery (SSRF) Affecting github.com/imgproxy/imgproxy/v3/security package, versions <3.27.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-GOLANG-GITHUBCOMIMGPROXYIMGPROXYV3SECURITY-8663875
- published28 Jan 2025
- disclosed27 Jan 2025
- creditPhan Nguyên Long, Khang Tran
Introduced: 27 Jan 2025
NewCVE-2025-24354 Â (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade github.com/imgproxy/imgproxy/v3/security to version 3.27.2 or higher.
Overview
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to improper blocking of the 0.0.0.0 address, even when IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES is set to false. An attacker can access services on the local host by sending requests to 0.0.0.0.