CVE-2025-10329: Unmark SSRF Vulnerability

CVE-2025-10329 Overview

CVE-2025-10329 is a Server-Side Request Forgery (SSRF) vulnerability affecting cdevroe unmark versions up to 1.9.3. The flaw resides in the /application/controllers/Marks.php file, where the url argument is processed without sufficient validation. Authenticated remote attackers can manipulate the url parameter to coerce the application into issuing arbitrary HTTP requests on their behalf. A public proof-of-concept exploit is available, and the vendor did not respond to disclosure outreach. The vulnerability is tracked under CWE-918 (Server-Side Request Forgery).

Critical Impact

Attackers can leverage the vulnerable url parameter in Marks.php to probe internal networks, access metadata endpoints, or interact with services reachable from the application host.

Affected Products

• cdevroe unmark versions up to and including 1.9.3
• The /application/controllers/Marks.php controller component
• Deployments exposing the unmark bookmark management interface to authenticated users

Discovery Timeline

• 2025-09-12 - CVE-2025-10329 published to NVD
• 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-10329

Vulnerability Analysis

The vulnerability exists in unmark, an open-source bookmark management application. The Marks.php controller accepts a url parameter intended to reference external resources for bookmarking. The application fetches the supplied URL server-side without restricting destination hosts, schemes, or internal IP ranges.

An authenticated attacker can supply URLs that target internal-only services such as http://127.0.0.1, RFC1918 ranges, or cloud metadata endpoints like http://169.254.169.254. The server then issues outbound requests and may return response data to the attacker. This enables internal reconnaissance, service enumeration, and potential credential theft when the host runs in a cloud environment.

Root Cause

The root cause is missing validation and allow-listing of the user-supplied url argument inside the Marks.php controller. The application trusts the parameter and forwards it directly to a server-side HTTP client. No checks are applied for loopback addresses, link-local addresses, private network ranges, or non-HTTP schemes.

Attack Vector

Exploitation requires network access to the unmark instance and low-privilege authenticated access. The attacker submits a crafted url value through the bookmark creation or processing workflow handled by Marks.php. The server then performs the SSRF request. Public proof-of-concept details are documented in the GitHub PoC Repository maintained by the reporter.

No verified code examples are available for inclusion. Refer to the GitHub PoC Example and VulDB Analysis #323755 for technical reproduction steps.

Detection Methods for CVE-2025-10329

Indicators of Compromise

• Outbound HTTP requests from the unmark application host directed at internal IP ranges, 127.0.0.1, or cloud metadata endpoints such as 169.254.169.254.
• POST or GET requests to unmark endpoints handled by Marks.php containing url parameters referencing non-public destinations.
• Unexpected DNS resolutions originating from the unmark server for attacker-controlled domains used in SSRF reconnaissance.

Detection Strategies

• Inspect web server access logs for requests to Marks.php whose url parameter contains private network addresses, loopback hosts, or non-HTTP schemes such as file:// and gopher://.
• Correlate application-initiated egress traffic with the originating HTTP request to identify SSRF-driven outbound calls.
• Deploy egress filtering telemetry to flag the unmark service contacting unusual internal services it does not normally communicate with.

Monitoring Recommendations

• Forward web server, application, and network flow logs to a centralized analytics platform for correlation between inbound url parameters and outbound connections.
• Alert on any access to cloud instance metadata services from application hosts that do not require it.
• Track authenticated user activity in unmark for anomalous bookmark submission patterns indicative of automated SSRF probing.

How to Mitigate CVE-2025-10329

Immediate Actions Required

• Restrict network access to the unmark application to trusted users while a fix is unavailable from the vendor.
• Block the unmark host from initiating connections to internal subnets, loopback interfaces, and cloud metadata endpoints at the network layer.
• Audit existing bookmark records for entries referencing internal hosts or metadata IPs that may indicate prior exploitation.

Patch Information

No vendor patch is currently available. The vendor was contacted prior to public disclosure but did not respond, according to the VulDB #323755 record. Organizations should track the upstream project for updates beyond version 1.9.3 and apply any future release that introduces URL validation in Marks.php.

Workarounds

• Place the unmark service behind a forward proxy that enforces an allow-list of external destinations and rejects requests to private address ranges.
• Apply a host-based firewall rule denying outbound traffic from the unmark process to 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16.
• If self-maintained, modify Marks.php to validate the url argument against a strict scheme allow-list and resolve hostnames before issuing requests to confirm they map to public addresses.

# Example iptables egress restriction for the unmark host
iptables -A OUTPUT -m owner --uid-owner www-data -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.0.0/16 -j REJECT