GHSA-j2hp-6m75-v4j4

Source

https://github.com/advisories/GHSA-j2hp-6m75-v4j4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-j2hp-6m75-v4j4/GHSA-j2hp-6m75-v4j4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j2hp-6m75-v4j4

Aliases

Published

2025-01-27T20:50:21Z

Modified

2025-01-28T15:41:48.647690Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

imgproxy is vulnerable to SSRF against 0.0.0.0

Details

Summary

Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host.

Details

imgproxy protects against SSRF against a loopback address with the following check (source):

if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() {
    return ErrSourceAddressNotAllowed
}

This check is insufficient to prevent accessing services on the local host, as services may receive traffic on 0.0.0.0. Go's IsLoopback (source) strictly follows the definition of loopback IPs beginning with 127. 0.0.0.0 is not blocked.

Database specific

{
    "nvd_published_at": "2025-01-27T18:15:41Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-27T20:50:21Z"
}

References

Affected packages

Go / github.com/imgproxy/imgproxy

Package

Name: github.com/imgproxy/imgproxy; View open source insights on deps.dev
Purl: pkg:golang/github.com/imgproxy/imgproxy

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.27.2