imgproxy SSRF (CVE-2023-30019)
Description
imgproxy versions up to and including 3.14.0 contain a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated attackers to force the server to make arbitrary HTTP requests. Attackers can exploit this flaw to scan and access internal network resources, services, and endpoints that are not directly accessible from the internet, effectively using the imgproxy server as a proxy to bypass network security controls.
Remediation
Immediately upgrade imgproxy to version 3.15.0 or later, which addresses CVE-2023-30019. If immediate upgrading is not possible, implement the following compensating controls: (1) Configure network-level egress filtering to restrict outbound connections from the imgproxy server to only necessary external image sources using allowlists, (2) Deploy imgproxy behind a Web Application Firewall (WAF) with rules to detect and block SSRF attempts, (3) Use the IMGPROXY_ALLOWED_SOURCES configuration option to explicitly whitelist permitted source URLs and protocols, (4) Block access to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 127.0.0.0/8) at the network firewall level for the imgproxy server. Verify the fix by testing that requests to internal resources and cloud metadata endpoints are properly rejected after remediation.