CVE-2025-55007
BaseFortify
Publication date: 2025-09-01
Last updated on: 2025-09-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eng | knowage | to 8.1.37 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55007 is a Server-Side Request Forgery (SSRF) vulnerability in Knowage-Server versions prior to 8.1.37. It allows an attacker to make the server send requests to arbitrary hosts or paths. Although the attacker cannot read the responses, this flaw can be used to scan internal networks by sending unauthorized requests from the server. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to scan your internal network by sending requests from the vulnerable server to arbitrary hosts or paths. While the attacker cannot read the responses, this could potentially lead to information disclosure about internal network structure or services, which may be leveraged for further attacks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SSRF vulnerability can involve monitoring for unusual outbound requests from the Knowage server to internal or unexpected external hosts. Since the attacker can send arbitrary requests but cannot read responses, look for anomalous HTTP requests originating from the server to internal IP ranges or uncommon destinations. Commands to help detect this include using network monitoring tools like tcpdump or Wireshark to capture outbound traffic, for example: `tcpdump -i <interface> host <knowage-server-ip> and tcp` or `tcpdump -i <interface> dst net <internal-network-range>`. Additionally, reviewing server logs for unusual URL fetch requests or unexpected parameters in requests to the Knowage server may help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Knowage-Server to version 8.1.37 or later, where this SSRF vulnerability has been patched. If upgrading is not immediately possible, consider implementing network-level restrictions to prevent the Knowage server from making arbitrary outbound requests, such as firewall rules limiting outbound HTTP requests to trusted destinations only. Additionally, review and harden input validation on any URL or host parameters accepted by the server to ensure they only allow expected destinations. [1]