CVE-2024-52594 – github.com/matrix-org/gomatrixserverlib

Package

Manager: go
Name: github.com/matrix-org/gomatrixserverlib
Vulnerable Version: >=0 <0.0.0-20250116181547-c4f1e01eab0d

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00073 pctl0.22876

Details

Gomatrixserverlib Server-Side Request Forgery (SSRF) on redirects and federation ### Impact Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. ### Patches c4f1e01eab0dd435709ad15463ed38a079ad6128 fixes this issue. ### Workarounds Use a local firewall to limit the network segments and hosts the service using gomatrixserverlib can access. ### References N/A

Metadata

Created: 2025-01-16T23:08:32Z
Modified: 2025-01-17T15:41:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-4ff6-858j-r822/GHSA-4ff6-858j-r822.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-4ff6-858j-r822
Finding: F100
Auto approve: 1