Imgproxy - SSRF (CVE-2025-24354)

CVE-2025-24354 is a vulnerability in imgproxy that allows remote attackers to access services on the local host by exploiting improper blocking of the 0.0.0.0 address, even when loopback source addresses are meant to be restricted. This flaw could be leveraged for unauthorized information disclosure or internal network probing until patched in version 3.27.2.

CrowdSec has been tracking this vulnerability and its exploits since 26th of November 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-24354 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-24354 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-24354 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit this vulnerability by sending requests to endpoints like /unsafe/plain/ with URLs pointing to internal or arbitrary hosts, attempting to force imgproxy to fetch resources from addresses such as 0.0.0.0 or attacker-controlled domains, leading to potential SSRF and exposure of internal services.