CVE-2025-24354

Name of the Vulnerable Software and Affected Versions imgproxy versions prior to 3.27.2

Description The issue concerns imgproxy, a server for resizing, processing, and converting images. It does not block the 0.0.0.0 address, even when IMGPROXY ALLOW LOOPBACK SOURCE ADDRESSES is set to false. This can expose services on the local host. The problem arises because the check against loopback addresses is insufficient, as it strictly follows the definition of loopback IPs starting with 127, and thus does not block 0.0.0.0.

Recommendations For imgproxy versions prior to 3.27.2, update to version 3.27.2 or later to resolve the issue. As a temporary workaround, consider restricting access to services on the local host to minimize the risk of exploitation. Avoid using the 0.0.0.0 address in configurations where IMGPROXY ALLOW LOOPBACK SOURCE ADDRESSES is set to false until the issue is resolved.