CVE-2025-67427

MEDIUM

evershop < 2.1.0 - Unauthenticated Blind Server-Side Request Forgery via Images API src Parameter

Title source: llm

Description

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks.

References (2)

Core 2

Core References

Third Party Advisory

https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67427

View Writeup ZIP pw:eip

Product

https://github.com/evershopcommerce/evershop

Scores

CVSS v3 6.5

EPSS 0.0018

EPSS Percentile 7.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (2)

evershop/evershop < 2.1.0

evershop/evershop 0npm

Published Jan 05, 2026

Tracked Since Feb 18, 2026