CVE-2025-59951: Termix Authentication Bypass Vulnerability

CVE-2025-59951 Overview

CVE-2025-59951 is a critical authentication bypass vulnerability in Termix, a web-based server management platform that provides SSH terminal, tunneling, and file editing capabilities. The vulnerability exists in the official Docker image for Termix versions 1.5.0 and below, where a misconfigured Nginx reverse proxy causes the backend to retrieve the proxy's IP address instead of the client's actual IP when using the req.ip method. This misconfiguration results in the isLocalhost function always returning True, allowing unauthenticated attackers to access sensitive internal endpoints.

Critical Impact

Attackers can directly access the /ssh/db/host/internal endpoint without login or authentication, exposing stored SSH host information including addresses, usernames, and passwords. This poses an extremely high security risk for any organization using the affected Docker configurations.

Affected Products

• Termix versions 1.5.0 and below (official Docker image)
• Custom Docker images built using the official Dockerfile
• Termix deployments utilizing reverse proxy functionality

Discovery Timeline

• October 1, 2025 - CVE-2025-59951 published to NVD
• October 20, 2025 - Last updated in NVD database

Technical Details for CVE-2025-59951

Vulnerability Analysis

This vulnerability stems from two distinct weaknesses classified as CWE-284 (Improper Access Control) and CWE-345 (Insufficient Verification of Data Authenticity). When Termix is deployed using the official Docker image or behind an Nginx reverse proxy, the application's access control mechanism relies on the req.ip method to determine the client's IP address for localhost verification. However, due to the reverse proxy configuration, the backend consistently receives the proxy's internal IP address rather than the actual client IP.

The isLocalhost function, designed to restrict access to sensitive internal endpoints, incorrectly evaluates all incoming requests as originating from localhost. This authentication bypass allows remote attackers on the network to access the /ssh/db/host/internal endpoint, which contains sensitive SSH credentials including host addresses, usernames, and passwords stored by the system.

Root Cause

The root cause is improper trust boundary implementation in the Docker and reverse proxy configuration. The Nginx reverse proxy does not properly forward the original client IP address using headers such as X-Forwarded-For or X-Real-IP, and the Termix backend does not validate these headers when determining client origin. This creates a scenario where the application's security controls that depend on IP-based localhost verification are completely bypassed.

Attack Vector

The attack vector is network-based, requiring no authentication, privileges, or user interaction. An attacker can exploit this vulnerability by directly sending HTTP requests to the /ssh/db/host/internal endpoint on an exposed Termix instance. The attack flow involves:

1. Identifying a Termix instance running with the vulnerable Docker configuration
2. Sending a direct HTTP request to the /ssh/db/host/internal endpoint
3. Receiving the complete SSH host database, including credentials, without any authentication challenge

This vulnerability can be exploited remotely by any network-adjacent or internet-facing attacker who can reach the Termix instance.

Detection Methods for CVE-2025-59951

Indicators of Compromise

• Unusual or unauthorized HTTP requests to the /ssh/db/host/internal endpoint in web server logs
• Access attempts to internal API endpoints from external IP addresses
• Unexpected SSH connection attempts to managed hosts using credentials stored in Termix
• Evidence of credential harvesting or lateral movement within the network

Detection Strategies

• Monitor web server access logs for requests to /ssh/db/host/internal and other internal endpoints
• Implement network intrusion detection rules to identify unauthenticated access attempts to Termix management endpoints
• Enable detailed logging for Termix and review authentication events for anomalies
• Deploy web application firewall rules to block unauthorized access to internal API paths

Monitoring Recommendations

• Configure alerts for any access to internal endpoints from non-localhost IP addresses
• Implement real-time log analysis for Termix and associated Nginx reverse proxy logs
• Monitor for credential reuse or suspicious SSH connection patterns across managed infrastructure
• Establish baseline traffic patterns to identify anomalous behavior targeting Termix endpoints

How to Mitigate CVE-2025-59951

Immediate Actions Required

• Upgrade Termix to version 1.6.0 or later, which contains the fix for this vulnerability
• Restrict network access to Termix instances to trusted IP ranges only
• Audit SSH credentials stored in Termix and rotate any potentially compromised credentials
• Review access logs for evidence of unauthorized endpoint access
• Consider temporarily taking vulnerable Termix instances offline until patches can be applied

Patch Information

The vulnerability has been fixed in Termix version 1.6.0. Users should upgrade immediately to this version or later. Technical details about the fix are available in the GitHub Pull Request #221 and the GitHub Security Advisory GHSA-92cw-877q-6r94.

Workarounds

• Configure the Nginx reverse proxy to properly forward client IP addresses using X-Forwarded-For or X-Real-IP headers
• Implement network-level access controls to restrict access to Termix management interfaces
• Use firewall rules to block external access to internal API endpoints such as /ssh/db/host/internal
• Deploy an additional authentication layer in front of Termix instances until the patch can be applied

# Example Nginx configuration to properly forward client IP
# Add to your Nginx reverse proxy configuration
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;