CVE-2024-25294 – This CVE describes a Server-Side Request Forger... (How to Fix)

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in REBUILD v3.5 that allows remote attackers to make unauthorized requests from the vulnerable server. Attackers can exploit this to access internal systems, steal sensitive data, and potentially execute arbitrary code. All systems running REBUILD v3.5 are affected.

💻 Affected Systems

Products:

REBUILD

Versions: v3.5

Operating Systems: All platforms running REBUILD

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in FileDownloader.java's proxyDownload function and affects all deployments of REBUILD v3.5 regardless of configuration.

📦 What is this software?

Rebuild by Getrebuild

View all CVEs affecting Rebuild →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary code execution leading to data theft, lateral movement, and complete control of affected systems.

🟠

Likely Case

Sensitive information disclosure from internal systems and potential access to cloud metadata services.

🟢

If Mitigated

Limited to port scanning of internal networks if proper network segmentation and egress filtering are in place.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication against internet-facing instances.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to attacks from within the network perimeter.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and has publicly available technical details, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://rebuild.com

Restart Required: No

Instructions:

1. Check REBUILD vendor website for security updates
2. Upgrade to a patched version when available
3. Monitor GitHub repository for fixes

🔧 Temporary Workarounds

Input Validation and URL Whitelisting

all

Implement strict validation of URL parameters in proxyDownload function to only allow trusted domains

Modify FileDownloader.java to validate URLs against allowed list

Network Segmentation

all

Restrict outbound network access from REBUILD servers to only necessary services

Configure firewall rules to block outbound traffic to internal networks and cloud metadata services

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block SSRF patterns in URL parameters
Isolate REBUILD servers in a DMZ with strict egress filtering

🔍 How to Verify

Check if Vulnerable:

Check if REBUILD version is 3.5 and review FileDownloader.java for proxyDownload function without proper URL validation

Check Version:

Check REBUILD version in application interface or configuration files

Verify Fix Applied:

Test that proxyDownload function properly validates URLs and rejects internal/unauthorized addresses

📡 Detection & Monitoring

Log Indicators:

Unusual outbound requests from REBUILD server to internal IPs
Requests to cloud metadata endpoints (169.254.169.254, etc.)
Multiple failed URL validation attempts

Network Indicators:

REBUILD server making unexpected outbound connections
Traffic to internal services from REBUILD server

SIEM Query:

source_ip="REBUILD_SERVER_IP" AND (dest_ip IN internal_ranges OR dest_ip="169.254.169.254")

📊 Metadata

CVE ID: CVE-2024-25294

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-918

Published: March 20, 2024

Last Updated: June 17, 2025

🔗 References

http://rebuild.com Not Applicable
https://deeply-capri-1c8.notion.site/REBUILD-V3-5-2023-12-11-SSRF-30324be04e00477eae472bf75f4f5e0d Broken Link
https://github.com/getrebuild/rebuild/ Product
http://rebuild.com Not Applicable
https://deeply-capri-1c8.notion.site/REBUILD-V3-5-2023-12-11-SSRF-30324be04e00477eae472bf75f4f5e0d Broken Link
https://github.com/getrebuild/rebuild/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25294, you might also want to check these: