CVE-2025-67427

EPSS 0.07%

evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API

Published: 1/5/2026Modified: 2/3/2026

Description

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks.

Affected packages (1)

npm/@evershop/evershopfrom 0, <= 2.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-67427
PATCHhttps://github.com/evershopcommerce/evershop
WEBhttps://github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67427
WEBhttps://pages.dos-m0nk3y.com/blog/EverShop%202.1.0%20-%20Unauthenticated%20DoS/#server-side-request-forgery-ssrf-cve-2025-67427