CVE-2025-27501: OpenZiti Admin Panel SSRF Vulnerability

CVE-2025-27501 Overview

CVE-2025-27501 is a Server-Side Request Forgery (SSRF) vulnerability in OpenZiti, an open source zero trust networking project. An unauthenticated endpoint on the OpenZiti admin panel accepts a user-supplied URL parameter intended to connect to an OpenZiti Controller. The application then issues a server-side request to that URL using the node's identity. Attackers can abuse the endpoint to reach internal services or leverage the node identity for additional permissions. The maintainers fixed the issue in version 3.7.1 by moving the controller request from the server side to the client side. The vulnerability is tracked under [CWE-918].

Critical Impact
An unauthenticated remote attacker can coerce the OpenZiti node to issue server-side requests, potentially exposing internal resources and abusing the node's identity for privilege gain.

Affected Products

OpenZiti ziti-console versions prior to 3.7.1
Deployments exposing the OpenZiti admin panel
Self-hosted OpenZiti Controller environments using the affected console

Discovery Timeline

2025-03-03 - CVE-2025-27501 published to NVD
2025-04-23 - Last updated in NVD database

Technical Details for CVE-2025-27501

Vulnerability Analysis

The vulnerability resides in an admin panel endpoint that is reachable without authentication. The endpoint takes a URL parameter from the request and uses it to perform an outbound HTTP request from the server. Because the request originates from the OpenZiti node, the destination receives traffic associated with the node's identity and network position. Attackers can therefore target internal hosts, cloud metadata services, or other restricted endpoints that are otherwise unreachable from the public internet. The flaw is classified as Server-Side Request Forgery under [CWE-918].

Root Cause

The root cause is that the controller connection request executes on the server side using the OpenZiti node identity, combined with the absence of authentication and URL validation on the endpoint. The fix in version 3.7.1 relocates the request to the client side, which removes the node identity from the request path and prevents attackers from leveraging it.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to the vulnerable admin panel endpoint with a URL parameter pointing to an internal or sensitive target. The OpenZiti node then issues the request on the attacker's behalf. The scope change in the CVSS vector reflects the ability to impact resources beyond the vulnerable component, such as backend controllers and adjacent internal services.

No public proof-of-concept code has been released. Refer to the GitHub Security Advisory for vendor technical details.

Detection Methods for CVE-2025-27501

Indicators of Compromise

Unexpected outbound HTTP requests from the OpenZiti node to internal IP ranges, cloud metadata endpoints (169.254.169.254), or non-standard hosts.
Admin panel access log entries showing the controller-connection endpoint invoked without an authenticated session.
Repeated requests from a single source containing varying url query parameters.

Detection Strategies

Inspect web server and reverse proxy logs for unauthenticated calls to the OpenZiti admin panel controller endpoint.
Correlate inbound admin panel requests with subsequent outbound HTTP requests from the same host to detect SSRF patterns.
Alert when the OpenZiti node initiates connections to RFC1918 addresses or cloud metadata services outside normal operational baselines.

Monitoring Recommendations

Forward OpenZiti node, controller, and admin panel logs to a centralized SIEM such as Singularity Data Lake for retention and correlation.
Track egress traffic from OpenZiti hosts and baseline normal destinations to flag deviations.
Monitor for version strings in HTTP responses or deployment manifests indicating versions earlier than 3.7.1.

How to Mitigate CVE-2025-27501

Immediate Actions Required

Upgrade OpenZiti ziti-console to version 3.7.1 or later across all deployments.
Restrict network access to the admin panel using firewall rules, allowlists, or VPN-only access.
Rotate any node identities or credentials that may have been exposed through SSRF abuse.
Audit recent admin panel logs for unauthenticated calls to the controller endpoint.

Patch Information

The issue is fixed in OpenZiti ziti-console3.7.1. The patch moves the controller connection request from the server side to the client side, eliminating use of the node identity for outbound requests. Patch details are available in the GitHub Security Advisory GHSA-fqxh-vfv5-8qjp.

Workarounds

Place the admin panel behind an authenticating reverse proxy that blocks unauthenticated access to the vulnerable endpoint.
Apply egress filtering on OpenZiti nodes to deny outbound requests to internal networks and cloud metadata services.
Disable public exposure of the admin panel until the upgrade can be applied.

bash

# Example egress restriction using iptables on an OpenZiti node
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --dport 80 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --dport 443 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -p tcp --dport 80 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -p tcp --dport 443 -j DROP