CVE-2025-24354: imgproxy is vulnerable to SSRF against 0.0.0.0

January 27, 2025

Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host.

References

github.com/advisories/GHSA-j2hp-6m75-v4j4
github.com/imgproxy/imgproxy
github.com/imgproxy/imgproxy/commit/3d4fed6842aa8930ec224d0ad75b0079b858e081
github.com/imgproxy/imgproxy/security/advisories/GHSA-j2hp-6m75-v4j4
nvd.nist.gov/vuln/detail/CVE-2025-24354

Code Behaviors & Features

Detect and mitigate CVE-2025-24354 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →