CVE-2025-54122
BaseFortify
Publication date: 2025-07-21
Last updated on: 2025-07-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| manager-io | manager | 25.7.18.2519 |
| manager-io | manager | 25.7.21.2525 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical unauthenticated full read Server-Side Request Forgery (SSRF) in the proxy handler component of Manager-io/Manager accounting software (both Desktop and Server editions up to version 25.7.18.2519). It allows an attacker without authentication to bypass network isolation and access restrictions, potentially reaching internal services and cloud metadata endpoints that should be protected.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to access internal network services and cloud metadata endpoints, which can lead to exfiltration of sensitive data from isolated network segments. This can result in severe confidentiality, integrity, and availability impacts on your systems and data.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Manager-io/Manager Desktop and Server editions to version 25.7.21.2525 or later, as this version contains the fix for the SSRF vulnerability. Until the upgrade is applied, restrict access to the proxy handler component and monitor for unusual network activity that may indicate exploitation attempts.