CVE-2025-24354

MEDIUM EXPLOITED NUCLEI

Imgproxy < 3.27.2 - SSRF

Title source: rule

Description

imgproxy is server for resizing, processing, and converting images. Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host. This vulnerability is fixed in 3.27.2.

Exploits (1)

nomisec SCANNER

by Admin9961 · infoleak

https://github.com/Admin9961/CVE-2025-24354-PoC

View Code ZIP pw:eip

Nuclei Templates (1)

Imgproxy < 3.27.2 - Server-Side Request Forgery (SSRF)

MEDIUMVERIFIEDby oksuzkayra

Shodan: http.html:"imgproxy"

FOFA: body="imgproxy"

References (2)

[Patch] https://github.com/imgproxy/imgproxy/commit/3d4fed6842aa8930ec224d0ad75b0079b858e081

[Vendor Advisory] https://github.com/imgproxy/imgproxy/security/advisories/GHSA-j2hp-6m75-v4j4

Scores

CVSS v3 5.3

EPSS 0.0222

EPSS Percentile 84.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

VulnCheck KEV 2025-11-27

CWE

CWE-918

Status published

Products (2)

imgproxy/imgproxy 0 - 3.27.2Go

imgproxy/imgproxy < 3.27.2

Published Jan 27, 2025

Tracked Since Feb 18, 2026