Blind Server-Side Request Forgery Vulnerability in ThinkDashboard
CVE-2025-64327

5.3MEDIUM

Key Information:

Vendor

Matiasdesuu

Status
Thinkdashboard
Vendor
CVE Published:
6 November 2025

What is CVE-2025-64327?

ThinkDashboard, a self-hosted bookmark dashboard built with Go and vanilla JavaScript, has a vulnerability that allows attackers to exploit its /api/ping?url= endpoint. Versions 0.6.7 and earlier are susceptible to Blind Server-Side Request Forgery, enabling malicious users to make arbitrary requests to both internal and external hosts. This exploitation could lead to the discovery of open ports on the local machine as well as vulnerabilities in the local network. This security concern has been addressed in version 0.6.8.

Affected Version(s)

ThinkDashboard < 0.6.8

References

https://github.com/MatiasDesuu/ThinkDashboard/security/ad...
x_refsource_CONFIRM
https://github.com/MatiasDesuu/ThinkDashboard/commit/1697...
x_refsource_MISC
https://github.com/MatiasDesuu/ThinkDashboard/releases/ta...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64327 : Blind Server-Side Request Forgery Vulnerability in ThinkDashboard