{"id":7258,"date":"2025-10-02T08:26:53","date_gmt":"2025-10-02T08:26:53","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=7258"},"modified":"2025-10-02T08:26:53","modified_gmt":"2025-10-02T08:26:53","slug":"termix-docker-picture-leaking-ssh-credentials-cve-2025-59951","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=7258","title":{"rendered":"Termix Docker Picture Leaking SSH Credentials (CVE-2025-59951)"},"content":{"rendered":"


\n<\/p>\n

\n

A important vulnerability within the official Termix Docker picture places customers susceptible to exposing delicate SSH credentials.<\/p>\n

The flaw permits anybody with community entry to retrieve saved host addresses, usernames, and passwords with out logging in.<\/p>\n

How the Vulnerability Works<\/strong><\/h2>\n

Termix supplies a Docker picture that runs a Node.js backend behind an Nginx reverse proxy. <\/p>\n

The backend code makes use of the\u00a0req.ip\u00a0methodology to find out if a request got here from the native machine, as reported<\/a> by Safety Researchers.<\/p>\n

As a result of Nginx and Termix run in the identical setting,\u00a0req.ip\u00a0all the time returns the proxy\u2019s IP tackle (127.0.0.1). This makes the appliance imagine each request is from localhost.<\/p>\n

\n\n\n\n\n\n\n\n\n
CVE ID<\/strong><\/td>\nCVE-2025-59951<\/strong><\/td>\n<\/tr>\n<\/thead>\n
Package deal<\/td>\nTermix (Node.js)<\/td>\n<\/tr>\n
Affected Variations<\/td>\nrelease-0.1.1-tag \u2013 release-1.6.0-tag<\/td>\n<\/tr>\n
Patched Variations<\/td>\nNone<\/td>\n<\/tr>\n
Severity<\/td>\nEssential<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

In consequence, anybody can name the\u00a0\/ssh\/db\/host\/inside\u00a0endpoint and retrieve SSH host<\/a> particulars with none authentication.<\/p>\n

\"endpoint
Endpoint could be accessed immediately with out login or authentication<\/figcaption><\/figure>\n

In a typical deployment, the Termix service resides inside a digital machine. Attackers can scan community property to search out uncovered cases.<\/p>\n

By sending a easy GET request to the weak endpoint, they obtain an inventory of SSH hosts saved by the service, together with credentials wanted to connect with upstream servers.<\/p>\n

This vulnerability impacts all Termix Docker releases from\u00a0release-0.1.1-tag\u00a0by way of\u00a0release-1.6.0-tag. No patched model exists on the time of writing.<\/p>\n

\"host
host machine can immediately entry this interface with out logging in<\/figcaption><\/figure>\n

Methods utilizing the official picture or customized pictures constructed from the official Dockerfile are weak in the event that they use an Nginx reverse proxy with default settings. Safety groups can reproduce the flaw by accessing:<\/p>\n

http:\/\/:\/ssh\/db\/host\/inside<\/port><\/ip><\/code><\/pre>\n
With an ordinary HTTP request, the backend returns full SSH configuration information. Community scanners and asset mapping platforms make it simple for attackers to find weak hosts.<\/p>\n
As soon as entry is gained, an adversary can transfer laterally throughout the community or harvest credentials for additional assaults.<\/p>\n
Mitigation and Suggestions<\/strong><\/p>\n
To guard in opposition to this difficulty, modify the backend validation logic to make use of the\u00a0X-Actual-IP\u00a0header as a substitute of\u00a0req.ip\u00a0or the default proxy-forwarded IP.<\/p>\n
This variation ensures the appliance precisely identifies the consumer\u2019s IP tackle. Directors must also:<\/p>\n