CVE-2025-59951
📋 TL;DR
A critical authentication bypass vulnerability in Termix versions 1.5.0 and below allows unauthenticated attackers to access the /ssh/db/host/internal endpoint, exposing stored SSH host information including addresses, usernames, and passwords. This affects users of the official Termix Docker image, custom images built from the official Dockerfile, or any deployment using reverse proxy functionality. The vulnerability stems from incorrect IP address handling when Nginx reverse proxy is configured.
💻 Affected Systems
- Termix
📦 What is this software?
Termix by Termix
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all SSH credentials stored in Termix, leading to lateral movement across infrastructure, data exfiltration, and potential full system takeover.
Likely Case
Unauthenticated attackers accessing SSH credentials, enabling unauthorized access to managed servers and potential credential reuse attacks.
If Mitigated
Limited exposure if proper network segmentation and access controls prevent external access to the vulnerable endpoint.
🎯 Exploit Status
Simple HTTP request to vulnerable endpoint with no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.0
Vendor Advisory: https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94
Restart Required: Yes
Instructions:
1. Update Termix to version 1.6.0 or higher. 2. Pull updated Docker image: docker pull lukegus/termix:latest. 3. Stop existing container. 4. Start new container with updated image. 5. Verify version is 1.6.0+.
🔧 Temporary Workarounds
Block vulnerable endpoint via reverse proxy
allConfigure Nginx or other reverse proxy to block access to /ssh/db/host/internal endpoint
location /ssh/db/host/internal { deny all; return 403; }
Remove reverse proxy configuration
linuxTemporarily disable reverse proxy configuration to restore proper IP address handling
# Remove or comment out reverse proxy settings in Nginx config
🧯 If You Can't Patch
- Implement strict network access controls to limit access to Termix instance to trusted IPs only
- Monitor and alert on any access attempts to /ssh/db/host/internal endpoint
🔍 How to Verify
Check if Vulnerable:
Check if Termix version is 1.5.0 or below and if deployed with reverse proxy. Test by attempting to access http://[termix-host]/ssh/db/host/internal without authentication.Check Version:
docker exec [container_name] cat /app/package.json | grep versionVerify Fix Applied:
After updating to 1.6.0+, verify that accessing /ssh/db/host/internal endpoint without authentication returns proper authentication error (401/403).📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /ssh/db/host/internal endpoint without authentication
- Unusual access patterns to SSH credential endpoint
Network Indicators:
- HTTP GET requests to /ssh/db/host/internal from unauthorized sources
- Traffic to SSH endpoints from Termix server to unexpected destinations
SIEM Query:
source="termix" AND (url_path="/ssh/db/host/internal" AND response_code=200)