Platform
php
Component
glpi
Fixed in
0.84.1
CVE-2025-52567 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in GLPI, a popular asset and IT management software. This flaw allows attackers to potentially trigger requests to internal resources within the GLPI infrastructure, potentially leading to unauthorized access or information disclosure. The vulnerability affects GLPI versions 0.84 up to and including 10.0.18, with a fix available in version 10.0.19.
The SSRF vulnerability in GLPI arises from improper handling of RSS feeds and external calendar integrations used in planning functionalities. An attacker could craft malicious requests within these features, causing GLPI to send requests to arbitrary internal or external URLs. This could expose sensitive internal services, databases, or cloud resources that are not directly accessible from the outside. While the CVSS score is LOW, the potential impact depends heavily on the internal network architecture and the sensitivity of the resources accessible from the GLPI server. Exploitation could lead to information leakage, denial of service, or even a stepping stone for further attacks if internal systems are compromised.
This vulnerability was publicly disclosed on 2025-07-30. There are currently no known public proof-of-concept exploits available. The vulnerability has not been added to the CISA KEV catalog as of this writing. Given the SSRF nature and the relatively low CVSS score, active exploitation is considered unlikely but possible, especially if internal systems are poorly secured.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-52567 is to upgrade GLPI to version 10.0.19 or later, which includes the necessary fixes. If upgrading immediately is not feasible, consider temporarily disabling RSS feed and external calendar integrations within GLPI's planning features. Review and restrict network access for the GLPI server, ensuring it can only communicate with necessary internal resources. Implement a Web Application Firewall (WAF) with rules to block suspicious outbound requests originating from GLPI. Monitor GLPI logs for unusual outbound connections or error messages related to RSS feed processing.
Update GLPI to version 10.0.19 or higher. This version contains the fix for the SSRF (Server-Side Request Forgery) vulnerability. It is recommended to perform a backup before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-52567 is a Server-Side Request Forgery vulnerability affecting GLPI versions 0.84 through 10.0.18, allowing attackers to potentially trigger requests to internal resources.
You are affected if you are running GLPI versions 0.84 to 10.0.18 and utilize RSS feeds or external calendars for planning.
Upgrade GLPI to version 10.0.19 or later. As a temporary workaround, disable RSS feed and external calendar integrations.
There are currently no confirmed reports of active exploitation, but the vulnerability remains a potential risk.
Refer to the official GLPI security advisory for detailed information and updates: [https://glpi.net/security](https://glpi.net/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.