CVE-2025-67427 — evershop allows unauthenticated attackers to force server to initiate HTTP reque

Description

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks.

How to fix CVE-2025-67427

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-67427 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 2.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-67427
PATCHgithub.com/evershopcommerce/evershop
WEBgithub.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67427
WEBpages.dos-m0nk3y.com/blog/EverShop%202.1.0%20-%20Unauthenticated%20DoS/#server-side-request-forgery-ssrf-cve-2025-67427