CVE-2025-64427
Server-Side Request Forgery in ZimaOS Allows Internal Access
Publication date: 2026-03-02
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zimaspace | zimaos | to 1.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-64427 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in ZimaOS versions up to and including 1.5.0. It occurs because the system does not properly validate or restrict target URLs in the /v1/sys/proxy endpoint.
This flaw allows an authenticated local user to craft requests that target internal IP addresses such as 127.0.0.1 (localhost) and private network ranges. As a result, the attacker can interact with internal HTTP/HTTPS services that are not meant to be accessible externally or by local users.
The attack requires low privileges and no user interaction, enabling the attacker to bypass network-level controls and access sensitive internal services and data.
How can this vulnerability impact me? :
This vulnerability can lead to sensitive information disclosure by allowing attackers to access internal services and data that should be protected.
- Attackers can retrieve data from internal endpoints such as app management and local storage information.
- It enables bypassing of network-level security controls, exposing internal services to unauthorized access.
- Because the attack requires only low privileges and no user interaction, it increases the risk of exploitation.
Overall, this can compromise the confidentiality of sensitive information within the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for crafted HTTP requests to the /v1/sys/proxy endpoint that include URLs targeting internal IP addresses such as 127.0.0.1, localhost, or private network ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16).'}, {'type': 'paragraph', 'content': 'A proof of concept involves authenticating with local user credentials, intercepting the JWT authorization token, and sending a crafted HTTP GET request to the proxy endpoint with the URL parameter set to an internal service address.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can use network monitoring tools or web server logs to look for requests similar to the following command example using curl:'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <JWT_TOKEN>" "http://<zimaos-host>/v1/sys/proxy?url=http://127.0.0.1:<internal-port>"'}, {'type': 'paragraph', 'content': 'Replace <JWT_TOKEN> with a valid token and <internal-port> with ports like 40331 or 44081, which are known internal endpoints that may be targeted.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict validation and restriction of target URLs in the /v1/sys/proxy endpoint.
- Maintain a whitelist of approved external hostnames and domains that the proxy endpoint can access.
- Explicitly reject any requests that target IP addresses within private and loopback ranges, including IPv6 equivalents.
Since no patched versions are publicly available, these configuration changes are critical to prevent attackers from exploiting the vulnerability.