CVE-2024-25181
Published: 29 December 2025
Description
A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server-Side Request Forgery (SSRF) and arbitrary file reading. The vulnerability stems from improper handling of user-supplied URLs in the "file_get_contents" function within the "save.php" file.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user-supplied URLs prior to processing by file_get_contents, preventing both SSRF and arbitrary file reads.
Enforces information flow control policies to block unauthorized server-side requests to internal networks or local files via untrusted URLs.
Restricts information inputs to approved types and sources, limiting user-supplied URLs to safe schemes and destinations.
Security SummaryAI
CVE-2024-25181 is a critical vulnerability in givanz VvvebJs version 1.7.2 that enables both Server-Side Request Forgery (SSRF) and arbitrary file reading. The flaw originates from improper handling of user-supplied URLs passed to the file_get_contents function within the save.php file. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-918 (Server-Side Request Forgery).
The vulnerability can be exploited by a remote, unauthenticated attacker requiring no user interaction and low attack complexity. Exploitation allows the attacker to trigger SSRF, potentially accessing internal network resources, and to read arbitrary files on the server, resulting in high impacts to confidentiality and integrity.
Advisories and further technical details are available in the referenced GitHub gist at https://gist.github.com/joaoviictorti/69cbae23d98fb9a1a4b3eee0c305c7de.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of public-facing web app (T1190) enables arbitrary local file reading (T1005) and SSRF.