Cyber Resilience

CVE-2025-0474

HighPublic PoC

Published: 14 January 2025

Published
14 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0022 45.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0474 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0474 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in Invoice Ninja, affecting versions from 5.8.56 through 5.11.23. The flaw, tied to CWE-918, enables arbitrary file reads and network resource requests executed as the application user. It carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), highlighting high confidentiality impact with changed scope.

Authenticated users with low privileges (PR:L) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows reading sensitive arbitrary files on the server and issuing requests to internal or external network resources under the application's user context, potentially exposing confidential data or enabling further reconnaissance and pivoting.

Vendor patches address the issue, as detailed in GitHub commit 2a9bf353b432d7060e85487b617151ecbc36247d and the compare between 97ae948618230c1812f3223b80bf22dcb0382dc5 and 435780932fe19063001d79ba518815df62773d71. Additional mitigation guidance appears in the VulnCheck advisory at https://vulncheck.com/advisories/invoice-ninja-ssrf.

EU & UK References

Vulnerability details

Invoice Ninja is vulnerable to authenticated Server-Side Request Forgery (SSRF) allowing for arbitrary file read and network resource requests as the application user. This issue affects Invoice Ninja: from 5.8.56 through 5.11.23.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF directly enables arbitrary local file reads (T1005) and internal network requests facilitating remote system and service discovery (T1018, T1046).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34428Shared CWE-918
CVE-2025-14610Shared CWE-918
CVE-2026-35459Shared CWE-918
CVE-2025-22399Shared CWE-918
CVE-2026-35187Shared CWE-918
CVE-2025-25297Shared CWE-918
CVE-2026-3052Shared CWE-918
CVE-2025-55161Shared CWE-918
CVE-2024-12450Shared CWE-918
CVE-2026-4200Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the SSRF vulnerability through timely identification, reporting, and application of vendor-provided patches for affected Invoice Ninja versions.

prevent

Validates user inputs at points where they are used to construct server-side requests, preventing SSRF exploitation for arbitrary file reads and network resource access.

prevent

Limits the application user's privileges to the minimum necessary, reducing the impact of SSRF by restricting access to sensitive files and network resources.

References