Vulnerability Description
ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery (SSRF) vulnerability, in its `/api/ping?url= endpoint`. This allows an attacker to make arbitrary requests to internal or external hosts. This can include discovering ports open on the local machine, hosts on the local network, and ports open on the hosts on the internal network. This issue is fixed in version 0.6.8.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Matiasdesuu | Thinkdashboard | < 0.6.8 |
Related Weaknesses (CWE)
References
- https://github.com/MatiasDesuu/ThinkDashboard/commit/16976263b22a4b0526b2c7c3029Patch
- https://github.com/MatiasDesuu/ThinkDashboard/releases/tag/0.6.8Release Notes
- https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-p52r-qq3jExploitVendor Advisory
- https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-p52r-qq3jExploitVendor Advisory
FAQ
What is CVE-2025-64327?
CVE-2025-64327 is a vulnerability with a CVSS score of 5.3 (MEDIUM). ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery (SSRF) vulnerability, in its `/api/ping?ur...
How severe is CVE-2025-64327?
CVE-2025-64327 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-64327?
Check the references section above for vendor advisories and patch information. Affected products include: Matiasdesuu Thinkdashboard.