CVE-2025-1447 MEDIUM

CVE-2025-1447: kasuganosoras Pigeon index.php server-side request forgery

Vendor Kasuganosoras

Product Pigeon

Weakness CWE-918 · SSRF

Published February 19, 2025

Last update February 19, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability was found in kasuganosoras Pigeon 1.0.177. It has been declared as critical. This vulnerability affects unknown code of the file /pigeon/imgproxy/index.php. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. Upgrading to version 1.0.181 is able to address this issue. The patch is identified as 84cea5fe73141689da2e7ec8676d47435bd6423e. It is recommended to upgrade the affected component.

Key dates

02Disclosure timeline

February 19, 2025 CVE published

February 19, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-1447

Related vulnerabilities

04Related CVE

CVE-2024-13697 Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.7.4 - Unauthenticated Limited Server-Side Request Forgery in nice_links CVE-2023-3233 Zhong Bang CRMEB PublicController.php get_image_base64 server-side request forgery CVE-2023-25195 Apache Fineract: SSRF template type vulnerability in certain authenticated users CVE-2025-12388 B Carousel Block – Responsive Image and Content Carousel <= 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery CVE-2022-4725 AWS SDK XML Parser XpathUtils.java XpathUtils server-side request forgery