Cyber Resilience

CVE-2025-29458

HighPublic PoC

Published: 17 April 2025

Published
17 April 2025
Modified
24 April 2025
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0098 77.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29458 is a high-severity SSRF (CWE-918) vulnerability in Mybb Mybb. Its CVSS base score is 7.6 (High).

Operationally, ranked in the top 22.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

MyBB 1.8.38 contains a vulnerability in the Change Avatar function that permits a remote attacker to obtain sensitive information. The issue is tracked as CWE-918 and carries a CVSS 3.1 score of 7.6, reflecting network attack vector, low complexity, and low privileges required. The vendor disputes the finding, stating that the behavior aligns with intended actions available to board administrators and that existing SSRF protections already address the concern.

An authenticated user with low privileges can supply crafted input through the avatar change feature to trigger server-side requests, potentially disclosing internal resources or sensitive data. The attack requires no user interaction and targets the confidentiality of the application and its underlying infrastructure.

MyBB documentation recommends limiting access to private hosts and IP addresses as a primary control against SSRF vectors in administrative functions. No additional patch or version-specific remediation is referenced in the available advisories.

EPSS remains low, with a current score of 0.0098 and a recorded peak of 0.0129.

EU & UK References

Vulnerability details

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mybb
mybb
1.8.38

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References