Medium severity5.8NVD Advisory· Published Oct 29, 2025· Updated Apr 15, 2026

CVE-2025-60898

Description

An unauthenticated server-side request forgery (SSRF) vulnerability in the Thumbnail via-uri endpoint of Halo CMS 2.21 allows a remote attacker to cause the server to issue HTTP requests to attacker-controlled URLs, including internal addresses. The endpoint performs a server-side GET to a user-supplied URI without adequate allow/blocklist validation and returns a 307 redirect that can disclose internal URLs in the Location header.

Affected products

Halo Dev/Haloinferred
Range: = 2.21

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

halo.comnvd
github.com/abdulr7mann/CVEs/blob/main/CVE-2025-60898/CVE-2025-60898.mdnvd

News mentions

No linked articles in our index yet.

cvss	0.377
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000