CVE-2025-31117: OpenEMR SSRF Vulnerability

CVE-2025-31117 Overview

OpenEMR, a widely-used free and open source electronic health records (EHR) and medical practice management application, contains an Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability. This security flaw allows an attacker to force the server to make unauthorized requests to external or internal resources. While this attack does not return a direct response to the attacker, it can be exploited through DNS or HTTP interactions to exfiltrate sensitive information from the healthcare environment.

Critical Impact

Attackers can leverage this SSRF vulnerability to probe internal network infrastructure, access internal services, and potentially exfiltrate sensitive patient data through out-of-band channels in healthcare environments.

Affected Products

• OpenEMR versions prior to 7.0.3.1
• All OpenEMR installations using the DICOM viewer URL loading functionality
• Healthcare systems running vulnerable OpenEMR deployments

Discovery Timeline

• 2025-03-31 - CVE CVE-2025-31117 published to NVD
• 2025-04-30 - Last updated in NVD database

Technical Details for CVE-2025-31117

Vulnerability Analysis

This Out-of-Band Server-Side Request Forgery (SSRF) vulnerability exists in OpenEMR's DICOM viewer component, specifically within the dicom_launcher.js file. The vulnerability stems from the application accepting URL-based loading of DICOM files without proper validation, allowing attackers to specify arbitrary URLs that the server will then request on their behalf.

The OOB nature of this SSRF means that while attackers don't receive direct responses from internal resources, they can still exploit the vulnerability by monitoring DNS queries or HTTP requests to attacker-controlled infrastructure. This technique is particularly effective for data exfiltration and internal network reconnaissance in healthcare environments where OpenEMR manages sensitive patient information.

Root Cause

The root cause of this vulnerability is the inclusion of "Url" as an accepted loader type in the DICOM viewer initialization. The application's dwv (DICOM Web Viewer) component was configured to allow loading DICOM files from arbitrary URLs without implementing proper URL validation or restrictions. This design flaw enabled server-side requests to be initiated to any destination specified by the attacker, including internal network resources and external attacker-controlled servers.

Attack Vector

The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous in internet-facing OpenEMR deployments. An attacker can craft malicious requests containing URLs pointing to internal infrastructure (such as http://localhost, http://169.254.169.254 for cloud metadata services, or internal IP ranges) or to attacker-controlled servers designed to capture out-of-band data exfiltration.

The following patch shows the security fix that removes the URL loading capability from the DICOM viewer:

 
     // initialise the application
     const loaderList = [
-        "File",
-        "Url"
+        "File"
     ];
 
     const filterList = [

Source: GitHub Commit Update

The fix removes the "Url" loader from the allowed loader list, effectively eliminating the attack surface by only permitting local file-based DICOM loading.

Detection Methods for CVE-2025-31117

Indicators of Compromise

• Unusual outbound HTTP or DNS requests originating from the OpenEMR server to external or unexpected internal destinations
• DNS query logs showing resolution attempts for attacker-controlled domains from the web server
• Network traffic from the OpenEMR server to cloud metadata endpoints (e.g., 169.254.169.254)
• HTTP requests in server logs containing DICOM viewer endpoints with URL parameters pointing to internal resources

Detection Strategies

• Monitor outbound network connections from OpenEMR servers for connections to unexpected internal IP ranges or external domains
• Implement DNS logging and alerting for unusual resolution patterns from web application servers
• Deploy network segmentation and monitor any attempts by the OpenEMR server to access restricted internal services
• Review web application logs for DICOM-related endpoints receiving URL parameters with internal or suspicious external addresses

Monitoring Recommendations

• Configure SentinelOne to monitor process network activity from the OpenEMR web server process for suspicious outbound connections
• Implement egress filtering and alert on any blocked outbound connection attempts from the application tier
• Enable detailed logging on the OpenEMR application and correlate with network traffic analysis
• Deploy canary tokens or honeypot services on internal networks to detect SSRF-based reconnaissance

How to Mitigate CVE-2025-31117

Immediate Actions Required

• Upgrade OpenEMR to version 7.0.3.1 or later immediately to apply the security patch
• Audit network access permissions for OpenEMR servers and implement strict egress filtering
• Review server logs for any indicators of prior exploitation attempts targeting DICOM viewer functionality
• Temporarily disable or restrict access to DICOM viewer functionality if immediate patching is not possible

Patch Information

The vulnerability has been fixed in OpenEMR version 7.0.3.1. The security patch removes the URL loading capability from the DICOM viewer by modifying the library/js/dwv/dicom_launcher.js file to only allow local file-based loading. Organizations should apply this update immediately given the sensitive nature of healthcare data managed by OpenEMR.

For detailed patch information, see the GitHub Commit Update and the GitHub Security Advisory GHSA-2pvv-ph3x-2f9h.

Workarounds

• Implement web application firewall (WAF) rules to block requests containing URL parameters to DICOM-related endpoints
• Deploy network-level egress filtering to prevent the OpenEMR server from initiating outbound connections to unauthorized destinations
• Use network segmentation to isolate OpenEMR servers from sensitive internal resources and cloud metadata services
• Disable or remove the DICOM viewer functionality entirely if not required for clinical operations

# Example: Block outbound connections from OpenEMR server (Linux iptables)
# Allow only necessary outbound connections
iptables -A OUTPUT -m owner --uid-owner www-data -d 127.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j DROP