Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules.
AnalysisAI
Server-Side Request Forgery in Jizhicms v2.5.4 allows unauthenticated remote attackers to abuse User Evaluation, Message, and Comment modules to make arbitrary HTTP requests from the server. With critical CVSS 9.1 (AV:N/AC:L/PR:N/UI:N), attackers can achieve high confidentiality and integrity impact without authentication. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, and no vendor-released patch confirmed
Technical ContextAI
Server-Side Request Forgery (CWE-918) occurs when an application accepts user-controlled URLs and makes HTTP requests without proper validation of the destination. Jizhicms is a PHP-based content management system, and version 2.5.4 contains SSRF vulnerabilities in three distinct modules: User Evaluation, Message, and Comment. These modules likely accept URL parameters for features such as avatar fetching, link previews, or webhook callbacks without validating that the target is an external, safe resource. This allows attackers to force the server to make requests to arbitrary destinations including localhost (127.0.0.1), internal RFC1918 networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), cloud metadata endpoints (169.254.169.254), or internal services. The vulnerability affects the product identified in CPE namespace a:n/a:n/a, indicating limited vendor coordination. The CVSS vector shows network-based attack with low complexity and no required privileges, making this trivially exploitable by any remote attacker.
RemediationAI
Organizations running Jizhicms v2.5.4 should monitor the official GitHub repository (github.com/Cherry-toto/jizhicms) and vendor website (jizhicms.cn) for security updates addressing CVE-2025-50228. Review GitHub issue #104 (github.com/Cherry-toto/jizhicms/issues/104) for vulnerability details and potential community-provided patches. No vendor-released patch independently confirmed at time of analysis. Immediate mitigations include implementing network-level controls to prevent the application server from making outbound requests to internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) through egress filtering or web application firewall rules. For cloud deployments, block access to metadata endpoints (169.254.169.254, fd00:ec2::254) at the network or host firewall level. Conduct input validation audits of User Evaluation, Message, and Comment modules, implementing allowlists for permitted external domains and URL schema restrictions (limit to http/https, block file://, gopher://, dict://, etc.). Consider disabling vulnerable modules if not operationally required until patches are available. Implement defense-in-depth by running the application with minimal network permissions and using network segmentation to isolate CMS infrastructure from sensitive internal services.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209380
GHSA-3hh3-hx7r-ggc2