Plattform
php
Komponente
glpi
Behoben in
0.84.1
CVE-2025-52567 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in GLPI, a popular asset and IT management software. This flaw allows attackers to potentially trigger requests to internal resources within the GLPI infrastructure, potentially leading to unauthorized access or information disclosure. The vulnerability affects GLPI versions 0.84 up to and including 10.0.18, with a fix available in version 10.0.19.
The SSRF vulnerability in GLPI arises from improper handling of RSS feeds and external calendar integrations used during planning. An attacker could craft malicious requests through these features, causing GLPI to send requests to internal services or external URLs that the attacker controls. This could expose sensitive internal data, allow for reconnaissance of the internal network, or even facilitate access to internal systems if those systems are vulnerable to further exploitation. While the CVSS score is LOW, the potential for internal reconnaissance and lateral movement makes this a concerning issue, especially in environments with sensitive internal resources.
This vulnerability was publicly disclosed on 2025-07-30. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog. The LOW CVSS score suggests a relatively low probability of exploitation, but proactive mitigation is still recommended.
Organizations heavily reliant on GLPI for asset and IT management, particularly those with complex internal networks and extensive use of RSS feeds or external calendar integrations for planning, are at increased risk. Shared hosting environments running GLPI are also vulnerable, as the attacker could potentially exploit the vulnerability through a compromised GLPI instance.
• php / server:
find /var/www/html/glpi -name 'index.php' -exec grep -i 'fetch_url' {} + | grep -i 'rss'• generic web:
curl -I https://your-glpi-server/index.php?rss_url=http://internal-resource.local• generic web:
curl -I https://your-glpi-server/app/planning/external_calendar.php?url=http://internal-resource.localdisclosure
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-52567 is to upgrade GLPI to version 10.0.19 or later. If upgrading immediately is not feasible, consider temporarily disabling RSS feed and external calendar integrations within GLPI's planning features. Review GLPI's configuration to ensure that any external connections are properly validated and restricted. Implement a Web Application Firewall (WAF) with rules to block suspicious outbound requests originating from GLPI. Monitor GLPI logs for unusual outbound connections or requests to unexpected internal resources.
Aktualisieren Sie GLPI auf Version 10.0.19 oder höher. Diese Version enthält die Korrektur für die SSRF-Vulnerabilität. Es wird empfohlen, vor der Aktualisierung ein Backup durchzuführen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-52567 is a Server-Side Request Forgery vulnerability affecting GLPI versions 0.84 through 10.0.18, allowing attackers to potentially trigger requests to internal resources.
You are affected if you are running GLPI versions 0.84 to 10.0.18 and utilize RSS feeds or external calendars for planning.
Upgrade GLPI to version 10.0.19 or later. As a temporary workaround, disable RSS feed and external calendar integrations.
There are currently no confirmed reports of active exploitation, but the vulnerability remains a potential risk.
Refer to the official GLPI security advisory for detailed information and updates: [https://glpi.net/security](https://glpi.net/security)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.