A important vulnerability within the official Termix Docker picture places customers susceptible to exposing delicate SSH credentials.
The flaw permits anybody with community entry to retrieve saved host addresses, usernames, and passwords with out logging in.
How the Vulnerability Works
Termix supplies a Docker picture that runs a Node.js backend behind an Nginx reverse proxy.
The backend code makes use of the req.ip methodology to find out if a request got here from the native machine, as reported by Safety Researchers.
As a result of Nginx and Termix run in the identical setting, req.ip all the time returns the proxy’s IP tackle (127.0.0.1). This makes the appliance imagine each request is from localhost.
| CVE ID | CVE-2025-59951 |
| Package deal | Termix (Node.js) |
| Affected Variations | release-0.1.1-tag – release-1.6.0-tag |
| Patched Variations | None |
| Severity | Essential |
In consequence, anybody can name the /ssh/db/host/inside endpoint and retrieve SSH host particulars with none authentication.
In a typical deployment, the Termix service resides inside a digital machine. Attackers can scan community property to search out uncovered cases.
By sending a easy GET request to the weak endpoint, they obtain an inventory of SSH hosts saved by the service, together with credentials wanted to connect with upstream servers.
This vulnerability impacts all Termix Docker releases from release-0.1.1-tag by way of release-1.6.0-tag. No patched model exists on the time of writing.
Methods utilizing the official picture or customized pictures constructed from the official Dockerfile are weak in the event that they use an Nginx reverse proxy with default settings. Safety groups can reproduce the flaw by accessing:
http://:/ssh/db/host/inside With an ordinary HTTP request, the backend returns full SSH configuration information. Community scanners and asset mapping platforms make it simple for attackers to find weak hosts.
As soon as entry is gained, an adversary can transfer laterally throughout the community or harvest credentials for additional assaults.
Mitigation and Suggestions
To guard in opposition to this difficulty, modify the backend validation logic to make use of the X-Actual-IP header as a substitute of req.ip or the default proxy-forwarded IP.
This variation ensures the appliance precisely identifies the consumer’s IP tackle. Directors must also:
- Prohibit entry to administration endpoints utilizing firewall guidelines.
- Place Termix behind an authenticated gateway or VPN.
- Monitor logs for sudden requests to the /ssh/db/host/inside endpoint.
- Rotate any SSH credentials which will have been uncovered.
Till a patched Termix Docker picture is launched, these measures can scale back publicity and restrict potential injury.
Customers of the Termix Docker picture ought to apply really helpful mitigations instantly and await an official patch to make sure SSH credentials stay safe.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most popular Supply in Google.
