CVE-2024-54819

Critical

Published: 07 January 2025

Published

07 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.4393 97.6th percentile

Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Description

I, Librarian before and including 5.11.1 is vulnerable to Server-Side Request Forgery (SSRF) due to improper input validation in classes/security/validation.php

Security Summary

CVE-2024-54819 is a Server-Side Request Forgery (SSRF) vulnerability affecting I, Librarian versions before and including 5.11.1. The issue arises from improper input validation in the file classes/security/validation.php. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-918: Server-Side Request Forgery. The vulnerability was published on 2025-01-07.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality and integrity, while availability remains unaffected.

Patches and mitigation details are available via the fixing commit at https://github.com/mkucej/i-librarian-free/commit/ed36f6f258392fa2ec72f9820661ded75d91accc. Additional research and advisory information is provided at https://www.partywave.site/show/research/cve-2024-54819-i-librarian-server-side-request-forgery and https://github.com/partywavesec/CVE-2024-55557.

Details

CWE(s): CWE-918

References

https://github.com/mkucej/i-librarian-free/commit/ed36f6f258392fa2ec72f9820661ded75d91accc
cve@mitre.org
https://github.com/partywavesec/CVE-2024-55557
cve@mitre.org
https://www.partywave.site/show/research/cve-2024-54819-i-librarian-server-side-request-forgery
cve@mitre.org