Overview
The CVE-2025-59344 vulnerability is a significant cybersecurity concern for all users of AliasVault API versions 0.23.0 and lower. The flaw lies in the server-side request forgery (SSRF) within the favicon extraction feature. This vulnerability can potentially lead to system compromise or data leakage, underlining its critical nature.
Vulnerability Summary
CVE ID: CVE-2025-59344
Severity: High (7.7 CVSS Score)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: Potential system compromise and data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
AliasVault API | 0.23.0 and lower
How the Exploit Works
The exploitation of this vulnerability requires a low-privilege user to submit a URL to the favicon extraction feature. Although the initial URL goes through validation, the extractor complies with redirects and is unable to block requests to loopback or internal IP ranges. An attacker can use this to force the backend into making HTTP(S) requests to arbitrary internal hosts and non-default ports. The response, if the target host serves a favicon or any other valid image, is returned to the attacker in Base64 form. Even without returned data, timing and error behavior can be exploited to map internal services.
Conceptual Example Code
This is a conceptual example of an HTTP request that could exploit the vulnerability:
POST /favicon_extractor HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "url": "http://internal-host:non_default_port" }This request would cause the backend to fetch the favicon from an internal host on a non-default port, potentially revealing sensitive data or mapping internal services.
