Server-Side Request Forgery in Kasuganosoras Pigeon 1.0.177
CVE-2025-1447

5.3MEDIUM

Key Information:

Vendor
Kasuganosoras
Status
Pigeon
Vendor
CVE Published:
19 February 2025

Summary

A significant security issue has been identified in the Pigeon product by Kasuganosoras, specifically in version 1.0.177, where the manipulation of the 'url' parameter in the /pigeon/imgproxy/index.php file can lead to remote server-side request forgery. This vulnerability allows attackers to exploit the issue remotely, causing unwanted interactions between the server and other internal resources. Users are strongly advised to upgrade to version 1.0.181 to mitigate this risk. The necessary patch can be found in commit 84cea5fe73141689da2e7ec8676d47435bd6423e.

Affected Version(s)

Pigeon 1.0.177

References

https://vuldb.com/?id.296134
vdb-entrytechnical-description
https://vuldb.com/?ctiid.296134
signaturepermissions-required
https://vuldb.com/?submit.501978
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.