CVE-2025-50228 identifies a Server-Side Request Forgery (SSRF) vulnerability affecting Jizhicms versions 1.0.0 and earlier. This flaw allows attackers to potentially trigger arbitrary requests through the User Evaluation, Message, and Comment modules, leading to unauthorized access or data exfiltration. The vulnerability was published on 2026-04-09 and a fix is available in version 2.5.4.
The SSRF vulnerability in Jizhicms allows an attacker to craft malicious requests that originate from the server itself. This can be exploited to access internal resources that are not directly accessible from the outside world, such as internal APIs, databases, or cloud services. An attacker could potentially read sensitive data, modify configurations, or even gain a foothold within the internal network. The impact is amplified if the Jizhicms instance is deployed in a cloud environment or has access to sensitive internal systems. This vulnerability shares similarities with other SSRF exploits where attackers leverage the server's trust to bypass security controls.
CVE-2025-50228 was publicly disclosed on 2026-04-09. The EPSS score is pending evaluation. There are currently no known public proof-of-concept exploits available. It is not listed on the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.04% (10% percentile)
The primary mitigation for CVE-2025-50228 is to upgrade Jizhicms to version 2.5.4 or later, which contains the fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access from the Jizhicms server using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests to suspicious or internal IP addresses. Thoroughly review and validate all user inputs to prevent malicious URLs from being processed. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoints with crafted requests and verifying that they are properly blocked or handled.
Update the Jizhicms module to version 2.5.4 or higher to mitigate the SSRF vulnerability. This update addresses the inadequate validation of user-provided URLs in the User Evaluation, Message, and Comment modules, thus preventing unauthorized access to internal resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-50228 is a Server-Side Request Forgery (SSRF) vulnerability in Jizhicms versions 1.0.0 and prior, allowing attackers to trigger arbitrary requests.
You are affected if you are using Jizhicms versions 1.0.0 and earlier. Upgrade to version 2.5.4 to mitigate the risk.
Upgrade Jizhicms to version 2.5.4 or later. As a temporary workaround, restrict outbound network access using a WAF or proxy.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the Jizhicms official website or security advisories for the latest information and updates regarding CVE-2025-50228.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.