CVE-2025-28096 – OneNav 1.1.0 contains a Server-Side Request For... (How to Fix)

Q: What is the severity of CVE-2025-28096?

CVE-2025-28096 has a CVSS score of 5.4 (MEDIUM). OneNav 1.1.0 contains a Server-Side Request Forgery (SSRF) vulnerability in custom headers functionality. This allows attackers to make unauthorized requests from the server to internal or external systems. All users running OneNav 1.1.0 are affected.

📋 TL;DR

OneNav 1.1.0 contains a Server-Side Request Forgery (SSRF) vulnerability in custom headers functionality. This allows attackers to make unauthorized requests from the server to internal or external systems. All users running OneNav 1.1.0 are affected.

💻 Affected Systems

Products:

OneNav

Versions: 1.1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the custom headers functionality; all installations of version 1.1.0 are affected.

📦 What is this software?

Onenav by Onenav

View all CVEs affecting Onenav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or pivot to other systems within the network.

🟠

Likely Case

Information disclosure from internal services, potential data exfiltration, or scanning of internal network resources.

🟢

If Mitigated

Limited impact if network segmentation restricts server outbound connections and internal service access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the custom headers functionality; references indicate detailed technical analysis is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Monitor the OneNav project for updates and apply when released.

🔧 Temporary Workarounds

Disable custom headers functionality

all

Remove or disable the vulnerable custom headers feature in OneNav configuration.

Edit OneNav configuration to disable custom headers functionality

Network restrictions

all

Implement egress filtering to restrict the OneNav server from making outbound requests to unauthorized destinations.

Configure firewall rules to block outbound HTTP/HTTPS from OneNav server except to required services

🧯 If You Can't Patch

Implement strict network segmentation to isolate the OneNav server from sensitive internal systems
Deploy a web application firewall (WAF) with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running OneNav version 1.1.0 and if custom headers functionality is enabled.

Check Version:

Check OneNav configuration or admin interface for version information

Verify Fix Applied:

Verify that custom headers functionality is disabled or that the server cannot make unauthorized outbound requests.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from the OneNav server
Requests to internal IP addresses or unusual domains

Network Indicators:

HTTP requests from OneNav server to unexpected destinations
Port scanning activity originating from the server

SIEM Query:

source_ip="[OneNav_Server_IP]" AND (dest_port=80 OR dest_port=443) AND dest_ip NOT IN [allowed_destinations]

📊 Metadata

CVE ID: CVE-2025-28096

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-918

EPSS Score: 0.13% exploit probability (33.3th percentile)

Published: March 28, 2025

Last Updated: April 7, 2025

🔗 References

https://www.yuque.com/morysummer/vx41bz/oqi6pyv26gci6465 Exploit,Third Party Advisory
https://www.yuque.com/morysummer/vx41bz/oqi6pyv26gci6465 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28096, you might also want to check these: