CVE-2025-24354
📋 TL;DR
Imgproxy fails to block the 0.0.0.0 address even when loopback source addresses are restricted, allowing attackers to potentially access services on the local host. This affects all imgproxy deployments with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. The vulnerability allows bypassing intended network restrictions.
💻 Affected Systems
- imgproxy
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive internal services, potentially leading to data exfiltration, lateral movement, or service disruption.
Likely Case
Limited information disclosure from internal services that respond to requests from 0.0.0.0, potentially exposing metadata or configuration details.
If Mitigated
With proper network segmentation and firewall rules, impact is limited to services that specifically respond to 0.0.0.0 requests.
🎯 Exploit Status
Exploitation requires knowledge of internal services and their endpoints. The vulnerability is simple to trigger but impact depends on what internal services are accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.27.2
Vendor Advisory: https://github.com/imgproxy/imgproxy/security/advisories/GHSA-j2hp-6m75-v4j4
Restart Required: Yes
Instructions:
1. Update imgproxy to version 3.27.2 or later. 2. Restart the imgproxy service. 3. Verify the fix by testing that 0.0.0.0 addresses are properly blocked.
🔧 Temporary Workarounds
Network Firewall Restriction
linuxBlock outbound connections from imgproxy to internal services using firewall rules.
iptables -A OUTPUT -p tcp -m owner --uid-owner imgproxy -d 127.0.0.0/8 -j DROP
iptables -A OUTPUT -p tcp -m owner --uid-owner imgproxy -d 0.0.0.0 -j DROP
Disable Image Processing from Network Sources
allConfigure imgproxy to only process local files by setting appropriate source restrictions.
Set IMGPROXY_ALLOWED_SOURCES to local paths only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate imgproxy from sensitive internal services.
- Deploy a reverse proxy or WAF in front of imgproxy to filter requests containing 0.0.0.0 addresses.
🔍 How to Verify
Check if Vulnerable:
Test if imgproxy can fetch images from 0.0.0.0 addresses when IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES is false.Check Version:
imgproxy --versionVerify Fix Applied:
After updating to 3.27.2+, verify that requests to 0.0.0.0 addresses are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Failed or successful requests to 0.0.0.0 addresses in imgproxy logs
- Unusual internal service access patterns from imgproxy host
Network Indicators:
- Outbound connections from imgproxy to localhost/127.0.0.1 on unusual ports
- HTTP requests with 0.0.0.0 in the source URL
SIEM Query:
source="imgproxy.log" AND ("0.0.0.0" OR "127.0.0.1") AND status=200