CVE-2025-27501

CVE-2025-27501 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the ziti-console component of OpenZiti, an open-source zero trust networking project. An unauthenticated endpoint in the admin panel accepts a user-supplied URL parameter to connect to an OpenZiti Controller and performs a server-side request using the identity of the node. This exposes the application to SSRF risks, with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, no authentication required, and significant confidentiality impact across a changed scope.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests to the admin panel endpoint, tricking the server into making unauthorized requests to internal or external resources on behalf of the node's identity. Successful exploitation allows attackers to leverage the node's permissions on the OpenZiti Controller to access sensitive data or resources they would not otherwise reach, potentially bypassing zero trust controls.

The GitHub Security Advisory (GHSA-fqxh-vfv5-8qjp) details the fix in OpenZiti version 3.7.1, which relocates the controller connection request from server-side to client-side execution. This change prevents the server's node identity from being used to obtain elevated permissions, effectively mitigating the SSRF risk. Security practitioners should upgrade to 3.7.1 or later and review access to admin panel endpoints.