Cyber Resilience

CVE-2025-29459

HighPublic PoC

Published: 17 April 2025

Published
17 April 2025
Modified
27 June 2025
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0097 77.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29459 is a high-severity SSRF (CWE-918) vulnerability in Mybb Mybb. Its CVSS base score is 7.6 (High).

Operationally, ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2025-29459 is an SSRF issue (CWE-918) affecting the Mail function in MyBB 1.8.38. The vulnerability permits a remote attacker to obtain sensitive information, carrying a CVSS 3.1 score of 7.6 with network attack vector, low complexity, and low-privileged access requirements. The vendor disputes the finding, stating that the behavior aligns with intended actions available to board administrators and that existing SSRF protections already limit exposure.

An attacker with authenticated low-privileged access can leverage the Mail function to trigger server-side requests that disclose internal or sensitive data. The CVSS impact metrics reflect high confidentiality exposure alongside limited integrity and availability effects, consistent with typical SSRF outcomes when mitigations are bypassed.

MyBB documentation recommends configuring restrictions that limit access to private hosts and IP addresses as the primary mitigation for this class of request-forgery risk. The second reference provides additional technical notes on the reported vector but does not alter the vendor's position on the issue. EPSS remains low, with a current value of 0.0097 and a peak of 0.0128.

EU & UK References

Vulnerability details

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mybb
mybb
1.8.38

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References