CVE-2025-67427: evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API

January 5, 2026

A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the “GET /images” API. The vulnerability occurs due to insufficient validation of the “src” query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks.

References

github.com/advisories/GHSA-vp8w-wj4m-3r7j
github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67427
github.com/evershopcommerce/evershop
nvd.nist.gov/vuln/detail/CVE-2025-67427
pages.dos-m0nk3y.com/blog/EverShop%202.1.0%20-%20Unauthenticated%20DoS/

Code Behaviors & Features

Detect and mitigate CVE-2025-67427 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →