CVE-2025-60898

Name of the Vulnerable Software and Affected Versions Halo CMS version 2.21

Description An unauthenticated server-side request forgery (SSRF) exists in the Thumbnail via-uri endpoint. This allows a remote attacker to make the server send HTTP requests to URLs controlled by the attacker, potentially including internal addresses. The endpoint performs a server-side GET request to a user-supplied URI without sufficient validation, and returns a 307 redirect that may reveal internal URLs in the Location header. The via-uri parameter is involved in this issue.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the via-uri endpoint until a patch is available.