Authenticated SSRF Vulnerability in Invoice Ninja by Invoice Ninja
CVE-2025-0474

7.7HIGH

Key Information:

Vendor

Invoice Ninja

Status
Invoice Ninja
Vendor
CVE Published:
14 January 2025

What is CVE-2025-0474?

Invoice Ninja is exposed to an authenticated Server-Side Request Forgery (SSRF) vulnerability, enabling attackers to conduct arbitrary file read and network resource requests with the privileges of the application user. This flaw affects versions of Invoice Ninja ranging from 5.8.56 to 5.11.23, potentially compromising sensitive data and allowing unauthorized access to internal resources.

Affected Version(s)

Invoice Ninja Linux 5.8.56 <= 5.11.23

References

https://github.com/invoiceninja/invoiceninja/commit/2a9bf...
patch
https://vulncheck.com/advisories/invoice-ninja-ssrf
third-party-advisory
https://github.com/invoiceninja/invoiceninja/compare/97ae...
patch

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

.