5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-24354

CVE-2025-24354: imgproxy is vulnerable to SSRF against 0.0.0.0

Summary

Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host.

Details

imgproxy protects against SSRF against a loopback address with the following check (source):

if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() {
	return ErrSourceAddressNotAllowed
}

This check is insufficient to prevent accessing services on the local host, as services may receive traffic on 0.0.0.0. Go's IsLoopback (source) strictly follows the definition of loopback IPs beginning with 127. 0.0.0.0 is not blocked.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-24354

CVE-2025-24354:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/imgproxy/imgproxy	go	< 3.27.2	3.27.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the VerifySourceNetwork function's IP validation logic. The original implementation in security/source.go only checked for loopback addresses using Go's ip.IsLoopback() which excludes 0.0.0.0. The commit diff shows the vulnerability was patched by adding ip.IsUnspecified() check to block 0.0.0.0 addresses. This function is directly responsible for source address validation and contained the flawed logic described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-24354: imgproxy is vulnerable to SSRF against 0.0.0.0

Summary

Details

CVE-2025-24354:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.3

5.3

Basic Information

Basic Information

CVE-2025-24354: imgproxy is vulnerable to SSRF against 0.0.0.0

Summary

Details

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI