Moderate severityOSV Advisory· Published Jan 5, 2026· Updated Jan 5, 2026

CVE-2025-67427

Description

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@evershop/evershopnpm	<= 2.1.0	—

Affected products

Evershopcommerce/EvershopOSV
Range: 1.0.0-rc.9, v1.0.0, v1.1.0, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-vp8w-wj4m-3r7jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-67427ghsaADVISORY
github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67427ghsaWEB
pages.dos-m0nk3y.com/blog/EverShop%202.1.0%20-%20Unauthenticated%20DoS/ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000