CVE-2024-25181
Unknown Unknown - Not Provided

SSRF and Arbitrary File Read in Givanz VvvebJs

Vulnerability report for CVE-2024-25181, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-29

Last updated on: 2025-12-29

Assigner: MITRE

Description

A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server-Side Request Forgery (SSRF) and arbitrary file reading. The vulnerability stems from improper handling of user-supplied URLs in the "file_get_contents" function within the "save.php" file.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-29
Last Modified
2025-12-29
Generated
2026-07-06
AI Q&A
2025-12-29
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
givanz vvebjs 1.7.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in givanz VvvebJs 1.7.2 allows attackers to perform Server-Side Request Forgery (SSRF) and arbitrary file reading due to improper handling of user-supplied URLs in the "file_get_contents" function within the "save.php" file.

Impact Analysis

The vulnerability can allow attackers to make unauthorized requests from the server to internal or external systems (SSRF) and read arbitrary files on the server, potentially exposing sensitive information or enabling further attacks.

Detection Guidance

You can detect this vulnerability by testing the vulnerable endpoint `save.php` with the `action=oembedProxy` parameter and supplying URLs that attempt to read sensitive files or access internal network resources. For example, using curl or Python requests to send requests like: `http://ip:port/save.php?action=oembedProxy&url=/etc/passwd` to check if the server returns the contents of sensitive files. Example command using curl: `curl "http://ip:port/save.php?action=oembedProxy&url=/etc/passwd"`. If the response contains file contents, the vulnerability exists. [1]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling access to the vulnerable `save.php` endpoint, especially the `oembedProxy` action parameter. Implement input validation and sanitization to prevent arbitrary URLs from being processed. Additionally, restrict outgoing HTTP requests from the server to internal resources and sensitive files. Applying patches or upgrading to a fixed version of VvvebJs beyond 1.7.4 when available is also recommended. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-25181. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart