CVE-2025-64427

Name of the Vulnerable Software and Affected Versions ZimaOS versions prior to 1.5.1

Description ZimaOS, a fork of CasaOS, is susceptible to a flaw stemming from inadequate validation or restriction of target URLs. An authenticated local user can construct requests that target internal IP addresses, such as 127.0.0.1, localhost, or private network ranges. This enables interaction with internal HTTP/HTTPS services not intended for external or local user access.

Recommendations Update ZimaOS to version 1.5.1 or later. At the moment, there is no information about a newer version that contains a fix for this vulnerability.