CVE-2025-64327
BaseFortify
Publication date: 2025-11-06
Last updated on: 2025-11-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| matiasdesuu | thinkdashboard | to 0.6.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Blind Server-Side Request Forgery (SSRF) in ThinkDashboard versions 0.6.7 and below. It occurs in the /api/ping?url= endpoint, allowing an attacker to make arbitrary requests from the server to internal or external hosts. This can be used to discover open ports on the local machine, hosts on the local network, and ports on those internal hosts.
How can this vulnerability impact me? :
The vulnerability allows an attacker to make unauthorized requests from the server, potentially exposing internal network information such as open ports and accessible hosts. This can lead to further attacks or reconnaissance within the internal network, increasing the risk of compromise.
What immediate steps should I take to mitigate this vulnerability?
Upgrade ThinkDashboard to version 0.6.8 or later, as this version contains the fix for the Blind SSRF vulnerability in the /api/ping?url= endpoint.