CVE-2025-64427 PUBLISHED

ZimaOS is vulnerable to Server-Side Request Forgery (SSRF)

Assigner: GitHub_M
Reserved: 03.11.2025 Published: 02.03.2026 Updated: 03.03.2026

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
CVSS Score: 7.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	IceWhaleTech
Product	ZimaOS
Versions	Version < 1.5.0 is affected

References

https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-m8hj-7xg5-p375

Problem Types

CWE-918: Server-Side Request Forgery (SSRF) CWE
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE