CVE-2025-24354: 
Linux openSUSE vulnerability analysis and mitigation

CVE-2025-24354 affects imgproxy, a server for resizing, processing, and converting images. The vulnerability was discovered and disclosed on January 27, 2025. The issue stems from imgproxy's failure to block the 0.0.0.0 address, even when IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES is set to false, which can expose services on the local host. This vulnerability has been fixed in version 3.27.2 (GitHub Advisory).

The vulnerability exists in imgproxy's source address verification mechanism. The security check only verifies if an IP is a loopback address using Go's IsLoopback function, which strictly follows the definition of loopback IPs beginning with 127. However, this check is insufficient as it doesn't block 0.0.0.0, which can be used to access local services. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

The vulnerability could allow attackers to perform Server-Side Request Forgery (SSRF) attacks against services listening on 0.0.0.0, potentially exposing services on the local host. This could lead to unauthorized access to internal services and potential information disclosure (GitHub Advisory).

The vulnerability has been fixed in imgproxy version 3.27.2. The fix involves updating the source address verification to also check for unspecified IP addresses (0.0.0.0) using the ip.IsUnspecified() function in addition to the existing ip.IsLoopback() check (GitHub Commit).