CVE-2025-64327 Overview
CVE-2025-64327 is a Blind Server-Side Request Forgery (SSRF) vulnerability in ThinkDashboard, a self-hosted bookmark dashboard built with Go and vanilla JavaScript. The flaw resides in the /api/ping?url= endpoint in versions 0.6.7 and below. Attackers can force the application to issue arbitrary HTTP requests to internal or external hosts. This enables reconnaissance of internal network topology, discovery of open ports on the local machine, and enumeration of services reachable from the ThinkDashboard host. The issue is tracked under [CWE-918] and fixed in version 0.6.8.
Critical Impact
Unauthenticated attackers can abuse the /api/ping endpoint to probe internal network resources and map services that would otherwise be inaccessible from the internet.
Affected Products
- ThinkDashboard versions 0.6.7 and below
- matiasdesuu:thinkdashboard (all releases prior to 0.6.8)
- Self-hosted deployments exposing the /api/ping endpoint
Discovery Timeline
- 2025-11-06 - CVE-2025-64327 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64327
Vulnerability Analysis
The /api/ping?url= endpoint accepts a user-controlled URL parameter and issues an HTTP request to the specified destination. The server does not validate or restrict the target host, scheme, or port. An attacker can supply URLs pointing to internal IP ranges such as 127.0.0.1, 169.254.169.254, or RFC1918 addresses. The server-side HTTP client fetches these targets and returns timing or error signals that reveal whether a service is listening.
Because the response body is not reflected back to the caller, this is classified as a Blind SSRF. Attackers still extract information from response timing, connection errors, and HTTP status differences. This is sufficient to enumerate reachable hosts and open ports across the internal network.
Root Cause
The root cause is missing input validation on the url query parameter passed to /api/ping. The handler in handlers.go did not enforce an allowlist of schemes, block loopback and private IP ranges, or restrict the destination port. Any input parseable as a URL was accepted and dispatched.
Attack Vector
Exploitation requires network access to the ThinkDashboard application and no authentication or user interaction. An attacker sends crafted GET requests to /api/ping?url=<target> with <target> set to internal addresses. Iterating across IP ranges and ports allows the attacker to build a map of internal services.
// Excerpt from the patch in handlers.go (v0.6.8)
// New imports added to support hardened URL validation
"crypto/tls"
"embed"
"encoding/json"
+ "fmt"
"html/template"
"io"
"net/http"
Source: GitHub commit 1697626
Detection Methods for CVE-2025-64327
Indicators of Compromise
- Requests to /api/ping?url= containing loopback addresses (127.0.0.1, localhost, ::1)
- Requests to /api/ping?url= referencing RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Requests targeting cloud metadata endpoints such as 169.254.169.254
- High-volume sequential requests to /api/ping iterating through port numbers
Detection Strategies
- Alert on any outbound HTTP connection originating from the ThinkDashboard process to non-public IP ranges.
- Correlate inbound requests to /api/ping with subsequent outbound requests to internal subnets.
- Deploy web application firewall (WAF) rules that inspect the url parameter and block private or reserved address ranges.
Monitoring Recommendations
- Log all requests to /api/ping with full query strings for retrospective analysis.
- Monitor for anomalous request rates against the ping endpoint from single source IPs.
- Enable egress network flow logging on the ThinkDashboard host to detect scanning behavior.
How to Mitigate CVE-2025-64327
Immediate Actions Required
- Upgrade ThinkDashboard to version 0.6.8 or later immediately.
- Restrict network exposure of ThinkDashboard to trusted users behind a VPN or reverse proxy with authentication.
- Audit access logs for suspicious /api/ping requests targeting internal ranges.
Patch Information
The fix is included in ThinkDashboard 0.6.8. Review the GitHub Security Advisory GHSA-p52r-qq3j-8p78 and the GitHub Release 0.6.8 for release notes. The upstream code changes are documented in GitHub commit 1697626.
Workarounds
- Block the /api/ping endpoint at the reverse proxy until the upgrade is applied.
- Enforce egress firewall rules that prevent the ThinkDashboard host from reaching internal subnets or cloud metadata services.
- Deploy WAF rules that reject requests containing private IPs or hostnames in the url parameter.
# Example nginx rule to block /api/ping until upgrade
location /api/ping {
return 403;
}
# Example iptables egress restriction for the ThinkDashboard host
iptables -A OUTPUT -m owner --uid-owner thinkdashboard -d 169.254.169.254 -j DROP
iptables -A OUTPUT -m owner --uid-owner thinkdashboard -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner thinkdashboard -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner thinkdashboard -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

