CVE-2025-60898
📋 TL;DR
An unauthenticated SSRF vulnerability in Halo CMS 2.21 allows attackers to make the server send HTTP requests to arbitrary URLs, including internal network addresses. This can expose internal URLs through redirect responses. All Halo CMS 2.21 installations with the vulnerable thumbnail endpoint exposed are affected.
💻 Affected Systems
- Halo CMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker maps internal network, accesses internal services, potentially leading to data exfiltration or lateral movement within the network.
Likely Case
Information disclosure of internal URLs and network topology, possible limited internal service enumeration.
If Mitigated
Limited impact with proper network segmentation and egress filtering in place.
🎯 Exploit Status
Unauthenticated exploitation via simple HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 2.21
Vendor Advisory: http://halo.com
Restart Required: No
Instructions:
1. Check current Halo CMS version. 2. Update to latest version beyond 2.21. 3. Verify the thumbnail endpoint validates URLs properly.
🔧 Temporary Workarounds
Disable thumbnail endpoint
allBlock or disable the vulnerable thumbnail via-uri endpoint.
Configure web server to block /api/content/thumbnails/via-uri endpoint
Network egress filtering
allRestrict outbound HTTP requests from the Halo server to only necessary destinations.
Configure firewall to limit outbound HTTP/HTTPS from Halo server IP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Halo server from internal resources
- Deploy web application firewall with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Test if /api/content/thumbnails/via-uri endpoint accepts arbitrary URLs and returns redirects with Location headers.Check Version:
Check Halo CMS admin panel or version file for current versionVerify Fix Applied:
Confirm the endpoint now validates URLs against allow/blocklists and doesn't return internal URLs in redirects.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to thumbnail endpoint with external/internal URLs
- Multiple 307 redirect responses
Network Indicators:
- Outbound HTTP requests from Halo server to unusual internal/external IPs
SIEM Query:
source_ip=HALO_SERVER AND (uri_path="/api/content/thumbnails/via-uri" OR status_code=307)