CVE-2025-67427

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-67427
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67427.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-67427
Aliases
Published
2026-01-05T20:16:03.350Z
Modified
2026-03-13T03:42:06.024166Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks.

References

Affected packages

Git / github.com/evershopcommerce/evershop

Affected ranges

Type
GIT
Repo
https://github.com/evershopcommerce/evershop
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
70a786fadcbd55f1641f0088189da4cfe44aa79c
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.1.0"
        }
    ]
}

Affected versions

1.*
1.0.0-rc.9
v1.*
v1.0.0
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v2.*
v2.0.0
v2.0.1
v2.1.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67427.json"