The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-31117

CVE-2025-31117: OpenEMR SSRF Vulnerability

CVE-2025-31117 is an Out-of-Band Server-Side Request Forgery vulnerability in OpenEMR that enables attackers to force unauthorized requests to internal or external resources. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated: May 15, 2026

CVE-2025-31117 Overview

CVE-2025-31117 is an Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability in OpenEMR, an open source electronic health records and medical practice management application. The flaw allows an unauthenticated attacker to coerce the OpenEMR server into issuing unauthorized HTTP or DNS requests to attacker-controlled or internal resources. Because the response is not returned directly to the attacker, exploitation relies on out-of-band channels such as DNS lookups or HTTP callbacks to exfiltrate sensitive data. The vulnerability is tracked under [CWE-918] and is fixed in OpenEMR version 7.0.3.1.

Critical Impact

An unauthenticated remote attacker can pivot the OpenEMR server into internal networks, probe internal services, and exfiltrate sensitive information through out-of-band channels.

Affected Products

  • OpenEMR versions prior to 7.0.3.1
  • Self-hosted OpenEMR deployments exposed to untrusted networks
  • Containerized OpenEMR instances running vulnerable releases

Discovery Timeline

  • 2025-03-31 - CVE-2025-31117 published to NVD
  • 2025-04-30 - Last updated in NVD database

Technical Details for CVE-2025-31117

Vulnerability Analysis

The vulnerability is a Server-Side Request Forgery flaw classified under [CWE-918]. OpenEMR accepts attacker-influenced input that is subsequently used by the server to issue outbound network requests. Because no validation or allowlisting restricts the destination of these requests, an attacker can direct OpenEMR to contact arbitrary hosts. The server does not return the response body to the client, making this an out-of-band variant. Attackers confirm exploitation by observing DNS queries or HTTP callbacks on infrastructure they control. The flaw is network-reachable and requires no authentication or user interaction.

Root Cause

The root cause is missing validation of user-supplied URLs or hostnames before OpenEMR initiates server-side network requests. Without an allowlist of permitted destinations or sanitization of host and scheme components, the application forwards requests to any address the attacker supplies, including internal RFC1918 addresses, cloud metadata endpoints, and external attacker infrastructure.

Attack Vector

The attack is launched over the network against an exposed OpenEMR endpoint that processes attacker-supplied URLs. The attacker injects a hostname pointing to a DNS or HTTP listener under their control. When OpenEMR resolves and connects to that host, the attacker records the interaction. The same primitive can be redirected against internal services to enumerate the network, reach cloud metadata APIs, or stage data exfiltration. No verified public proof-of-concept code is available; see the GitHub Security Advisory GHSA-2pvv-ph3x-2f9h for technical details.

Detection Methods for CVE-2025-31117

Indicators of Compromise

  • Outbound DNS queries from the OpenEMR host to unfamiliar domains, particularly common SSRF canary services or attacker-controlled subdomains
  • Outbound HTTP or HTTPS connections from OpenEMR application processes to RFC1918 ranges or cloud metadata endpoints such as 169.254.169.254
  • Unexpected egress traffic originating from the PHP or web server process running OpenEMR

Detection Strategies

  • Inspect web server access logs for requests containing URL parameters with external or internal hostnames, IP literals, or non-HTTP schemes
  • Correlate inbound HTTP requests to OpenEMR with subsequent outbound DNS or HTTP traffic from the same host within a short time window
  • Deploy egress monitoring that flags any outbound connection from the OpenEMR server to destinations outside an approved allowlist

Monitoring Recommendations

  • Forward OpenEMR application logs, web server logs, and DNS resolver logs to a centralized SIEM for correlation
  • Alert on connections from OpenEMR hosts to cloud instance metadata endpoints and link-local addresses
  • Track the OpenEMR version banner across deployments to identify hosts still running releases prior to 7.0.3.1

How to Mitigate CVE-2025-31117

Immediate Actions Required

  • Upgrade OpenEMR to version 7.0.3.1 or later, which contains the official fix
  • Restrict outbound network access from OpenEMR servers to only the destinations required for normal operation
  • Block OpenEMR hosts from reaching cloud metadata services and internal management networks at the firewall layer

Patch Information

The vulnerability is fixed in OpenEMR 7.0.3.1. The upstream code change is documented in the OpenEMR GitHub commit aa6f50e and the GitHub Security Advisory GHSA-2pvv-ph3x-2f9h. Administrators should apply the patched release rather than attempting to backport individual changes.

Workarounds

  • Place OpenEMR behind a reverse proxy or web application firewall configured to strip or validate URL-bearing parameters
  • Configure host-level egress filtering to permit only required outbound destinations from the OpenEMR application server
  • Disable or restrict OpenEMR features that fetch remote resources until the patched version can be deployed
bash
# Example iptables egress restriction for an OpenEMR host
# Block access to cloud metadata and RFC1918 ranges from the web user
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.169.254 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeSSRF

  • Vendor/TechOpen Emr

  • SeverityMEDIUM

  • CVSS Score6.9

  • EPSS Probability1.15%

  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-918
  • Vendor Resources
  • GitHub Commit Details

  • GitHub Security Advisory GHSA-2pvv-ph3x-2f9h
  • Related CVEs
  • CVE-2023-54347: OpenEMR Auth Bypass Vulnerability

  • CVE-2026-32120: OpenEMR Auth Bypass Vulnerability

  • CVE-2026-33909: OpenEMR SQL Injection Vulnerability

  • CVE-2026-33931: OpenEMR Information Disclosure Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English