CVE-2025-44594 – This SSRF vulnerability in halo allows attacker... (How to Fix)

Q: What is the severity of CVE-2025-44594?

CVE-2025-44594 has a CVSS score of 9.1 (CRITICAL). This SSRF vulnerability in halo allows attackers to make the server send arbitrary HTTP requests to internal systems. Attackers can potentially access internal services, exfiltrate data, or perform internal port scanning. All users running vulnerable versions of halo are affected.

📋 TL;DR

This SSRF vulnerability in halo allows attackers to make the server send arbitrary HTTP requests to internal systems. Attackers can potentially access internal services, exfiltrate data, or perform internal port scanning. All users running vulnerable versions of halo are affected.

💻 Affected Systems

Products:

halo

Versions: v2.20.17 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the upload-from-url endpoint specifically; requires the attachment upload feature to be enabled.

📦 What is this software?

Halo by Halo

View all CVEs affecting Halo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal infrastructure through chained attacks, data exfiltration from internal services, or lateral movement to other systems.

🟠

Likely Case

Internal service enumeration, data leakage from internal APIs, or accessing metadata services in cloud environments.

🟢

If Mitigated

Limited to port scanning or accessing only specific allowed endpoints if proper network segmentation exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication but is straightforward once authenticated; the reference link contains technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.20.18 or later

Vendor Advisory: https://github.com/halo-dev/halo/releases

Restart Required: Yes

Instructions:

1. Backup your halo instance. 2. Update to halo v2.20.18 or newer. 3. Restart the halo service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable upload-from-url endpoint

all

Temporarily disable the vulnerable endpoint until patching is possible

Modify halo configuration to disable /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url

Network segmentation

all

Restrict halo server's outbound network access to prevent SSRF exploitation

Configure firewall rules to block halo server from accessing internal networks

🧯 If You Can't Patch

Implement strict network egress filtering to limit halo server's outbound connections
Deploy a web application firewall (WAF) with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running halo version 2.20.17 or earlier and if the upload-from-url endpoint is accessible

Check Version:

halo --version or check the admin dashboard version information

Verify Fix Applied:

Confirm halo version is 2.20.18 or newer and test the upload-from-url endpoint with SSRF payloads

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from halo server
Requests to internal IP addresses or metadata services
Multiple failed upload attempts with unusual URLs

Network Indicators:

Halo server making unexpected HTTP requests to internal services
Traffic to cloud metadata endpoints (169.254.169.254, etc.)

SIEM Query:

source="halo" AND (url="*upload-from-url*" AND (dst_ip="10.*" OR dst_ip="172.*" OR dst_ip="192.168.*" OR dst_ip="169.254.169.254"))

📊 Metadata

CVE ID: CVE-2025-44594

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-918

EPSS Score: 0.03% exploit probability (9.6th percentile)

Published: September 9, 2025

Last Updated: September 17, 2025

🔗 References

https://meadow-horn-b94.notion.site/halo-ssrf-14c42bd5b11880c09936df07f58f5bed?pvs=74 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-44594, you might also want to check these: