CVE-2025-50228
SSRF Vulnerability in Jizhicms v2.5.4 User Modules
Publication date: 2026-04-09
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jizhicms | jizhicms | 2.5.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Jizhicms version 2.5.4 has a Server-Side Request Forgery (SSRF) vulnerability in its User Evaluation, Message, and Comment modules.
These modules allow users to import network images by specifying image URLs without any validation or restrictions on the URL addresses.
Because there is no filtering on the URLs, attackers can input internal network addresses, causing the server to send unauthorized requests to internal services.
When content containing these URLs is saved, the SSRF vulnerability is triggered, allowing attackers to probe internal network resources via the server.
How can this vulnerability impact me? :
This vulnerability can allow attackers to make the server send unauthorized requests to internal network services that are normally inaccessible from outside.
Attackers can use this to probe and gather information about internal network resources, potentially exposing sensitive internal services or data.
Such unauthorized internal requests could lead to further exploitation or compromise of internal systems depending on what services are accessible.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The SSRF vulnerability in Jizhicms v2.5.4 can be detected by monitoring for unauthorized internal network requests triggered by the User Evaluation, Message, and Comment modules when they import network images via user-supplied URLs without validation.
Detection can involve checking server logs for outbound HTTP requests to internal IP addresses or unusual internal services that should not be accessed externally.
Specific commands to help detect this include:
- Using network monitoring tools like tcpdump or Wireshark to capture outbound HTTP requests from the server to internal IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16). Example: tcpdump -i eth0 dst net 10.0.0.0/8
- Checking web server access logs for requests containing URLs with internal IP addresses or suspicious domains.
- Using curl or wget commands to test the vulnerable modules by submitting image URLs pointing to internal services and observing if the server makes the request.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the SSRF vulnerability in Jizhicms v2.5.4 impacts compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the functionality that allows users to import images via URLs in the User Evaluation, Message, and Comment modules.
Implement input validation to block URLs that point to internal network addresses or non-whitelisted domains.
Monitor and block outbound HTTP requests from the server to internal IP ranges to prevent SSRF exploitation.
If possible, update or patch Jizhicms to a version where this SSRF vulnerability is fixed.