CVE-2024-52594
Aliases:GHSA-4ff6-858j-r822GO-2025-3396
Advisory lineage Upstream: 0 Downstream: 2
Downstream
Deferred
Published: 16 Jan 2025, 18:57
Last modified:12 Feb 2025, 20:31
Vulnerability Summary
Overall Risk (default)
low
17/100 CVSS Score
4.3 MEDIUM
v3.1 (cve.org)
EPSS Score
0.11% LOW
0% probability -0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
16 Jan 2025, 18:57
Published
Vulnerability first disclosed
12 Feb 2025, 20:31
Last Modified
Vulnerability information updated
Description
Gomatrixserverlib is a Go library for matrix federation. Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. The commit `c4f1e01` fixes this issue. Users are advised to upgrade. Users unable to upgrade should use a local firewall to limit the network segments and hosts the service using gomatrixserverlib can access.
CVSS Metrics
- v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Trends
Current EPSS score: 0.11%• Percentile: 29%
Techniques & Countermeasures
- CWE-918•Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Affected Systems
- github.com/matrix-org•gomatrixserverlib
< 0.0.0-20250116181547-c4f1e01eab0d
- matrix-org•gomatrixserverlib
< c4f1e01eab0dd435709ad15463ed38a079ad6128
References (5)
- https://github.com/matrix-org/gomatrixserverlib/security/advisories/GHSA-4ff6-858j-r822
- https://github.com/matrix-org/gomatrixserverlib/commit/c4f1e01eab0dd435709ad15463ed38a079ad6128
- https://nvd.nist.gov/vuln/detail/CVE-2024-52594
- https://github.com/matrix-org/gomatrixserverlib
- https://pkg.go.dev/vuln/GO-2025-3396