{"id":"CVE-2025-59055","summary":"InstantCMS vulnerable to Server-Side Request Forgery via package installer","details":"InstantCMS is a free and open source content management system. A blind Server-Side Request Forgery (SSRF) vulnerability in InstantCMS up to and including 2.17.3 allows authenticated remote attackers to make nay HTTP/HTTPS request via the package parameter. It is possible to make any HTTP/HTTPS request to any website in installer functionality. Due to such vulnerability it is possible to for example scan local network, call local services and its functions, conduct a DoS attack, and/or disclose a server's real IP if it's behind a reverse proxy. It is also possible to exhaust server resources by sending plethora of such requests. As of time of publication, no patched releases are available.","aliases":["GHSA-79hh-mhvg-whrw"],"modified":"2026-04-10T05:31:45.949267Z","published":"2025-09-11T18:46:29.139Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59055.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-918"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59055.json"},{"type":"ADVISORY","url":"https://github.com/instantsoft/icms2/security/advisories/GHSA-79hh-mhvg-whrw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59055"},{"type":"FIX","url":"https://github.com/instantsoft/icms2/commit/fa997bdab3429fad0c850966bfacbcb96d5ab041"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/instantsoft/icms2","events":[{"introduced":"0"},{"fixed":"fa997bdab3429fad0c850966bfacbcb96d5ab041"}]}],"versions":["2.10.0","2.10.1","2.11.0","2.12.0","2.12.1","2.12.2","2.13.0","2.13.1","2.14.0","2.14.1","2.14.2","2.14.3","2.15.0","2.15.1","2.15.2","2.16.0","2.16.1","2.16.2","2.17.0","2.17.1","2.17.2","2.17.3","2.3.0","2.4.0","2.5.0","2.5.1","2.6.0","2.6.1","2.7.0","2.7.1","2.7.2","2.8.0","2.8.1","2.8.2","2.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59055.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"}]}