CVE-2025-52362
📋 TL;DR
This SSRF vulnerability in PHProxy allows attackers to bypass URL validation and make unauthorized requests to internal systems. Remote unauthenticated attackers can exploit this to access internal services. All users running PHProxy version 1.1.1 or earlier are affected.
💻 Affected Systems
- PHProxy
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker accesses sensitive internal systems, exfiltrates data, or performs lateral movement within the network.
Likely Case
Attacker scans internal networks, accesses internal web services, or uses the proxy to attack other systems.
If Mitigated
Limited to port scanning or accessing non-sensitive internal services if proper network segmentation exists.
🎯 Exploit Status
Public proof-of-concept exists in the GitHub gist reference. Exploitation requires only HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch exists. Consider workarounds or alternative software.
🔧 Temporary Workarounds
Input Validation Enhancement
allAdd strict validation for the _proxurl parameter to reject internal IP addresses and localhost URLs
Modify PHProxy source code to validate URLs against internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
Network Access Control
linuxRestrict PHProxy's outbound network access using firewall rules
iptables -A OUTPUT -p tcp -m owner --uid-owner phproxy -d 127.0.0.0/8 -j DROP
iptables -A OUTPUT -p tcp -m owner --uid-owner phproxy -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -p tcp -m owner --uid-owner phproxy -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -p tcp -m owner --uid-owner phproxy -d 192.168.0.0/16 -j DROP
🧯 If You Can't Patch
- Disable or remove PHProxy from internet-facing systems immediately
- Implement strict network segmentation to isolate PHProxy from sensitive internal systems
🔍 How to Verify
Check if Vulnerable:
Test by attempting to proxy requests to internal IP addresses (127.0.0.1, 192.168.1.1) using the _proxurl parameterCheck Version:
Check PHProxy version in source code or configuration filesVerify Fix Applied:
Verify that internal IP requests are rejected and only external URLs are processed📡 Detection & Monitoring
Log Indicators:
- Unusual URL patterns in access logs
- Requests to internal IP addresses from PHProxy
- Multiple failed validation attempts
Network Indicators:
- Outbound connections from PHProxy to internal IP ranges
- Unusual traffic patterns from PHProxy server
SIEM Query:
source="phproxy.log" AND (url="*127.0.0.1*" OR url="*192.168.*" OR url="*10.*" OR url="*172.16.*")