Cyber Resilience

CVE-2024-25181

Critical

Published: 29 December 2025

Published
29 December 2025
Modified
07 January 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0025 16.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2024-25181 is a critical-severity SSRF (CWE-918) vulnerability in Vvveb Vvvebjs. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-25181 is a critical vulnerability in givanz VvvebJs version 1.7.2 that enables both Server-Side Request Forgery (SSRF) and arbitrary file reading. The flaw originates from improper handling of user-supplied URLs passed to the file_get_contents function within the save.php file. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-918 (Server-Side Request Forgery).

The vulnerability can be exploited by a remote, unauthenticated attacker requiring no user interaction and low attack complexity. Exploitation allows the attacker to trigger SSRF, potentially accessing internal network resources, and to read arbitrary files on the server, resulting in high impacts to confidentiality and integrity.

Advisories and further technical details are available in the referenced GitHub gist at https://gist.github.com/joaoviictorti/69cbae23d98fb9a1a4b3eee0c305c7de.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server-Side Request Forgery (SSRF) and arbitrary file reading. The vulnerability stems from improper handling of user-supplied URLs in the "file_get_contents" function within the "save.php" file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Unauthenticated remote exploitation of public-facing web app (T1190) enables arbitrary local file reading (T1005) and SSRF.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-25182Same product: Vvveb Vvvebjs
CVE-2024-27480Same product: Vvveb Vvvebjs
CVE-2025-13096Shared CWE-918
CVE-2026-24138Shared CWE-918
CVE-2025-56589Shared CWE-918
CVE-2024-8952Shared CWE-918
CVE-2025-55161Shared CWE-918
CVE-2024-37359Shared CWE-918
CVE-2025-55853Shared CWE-918
CVE-2024-12450Shared CWE-918

Affected Assets

vvveb
vvvebjs
≤ 1.7.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied URLs prior to processing by file_get_contents, preventing both SSRF and arbitrary file reads.

prevent

Enforces information flow control policies to block unauthorized server-side requests to internal networks or local files via untrusted URLs.

prevent

Restricts information inputs to approved types and sources, limiting user-supplied URLs to safe schemes and destinations.

References