Imgproxy - SSRF (CVE-2025-24354)

CVE-2025-24354 is a vulnerability in imgproxy that allows remote attackers to access services on the local host by exploiting improper blocking of the 0.0.0.0 address, even when loopback source addresses are meant to be restricted. This flaw could be leveraged for unauthorized information disclosure or internal network probing until patched in version 3.27.2.

CrowdSec has been tracking this vulnerability and its exploits since 26th of November 2025.

CrowdSec network observations suggest that most exploitation of CVE-2025-24354 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. CrowdSec data also reveals a clear uptick in attacks involving CVE-2025-24354 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit this vulnerability by sending requests to endpoints like /unsafe/plain/ with URLs pointing to internal or arbitrary hosts, attempting to force imgproxy to fetch resources from addresses such as 0.0.0.0 or attacker-controlled domains, leading to potential SSRF and exposure of internal services.