CVE-2025-47791 is a Server-Side Request Forgery (SSRF) vulnerability identified in Nextcloud Server and Nextcloud Enterprise Server versions prior to 28.0.13, 29.0.10, and 30.0.3. Nextcloud is a widely used self-hosted personal cloud platform that allows organizations and individuals to manage files, calendars, contacts, and other data on their own infrastructure. The vulnerability arises from an improperly protected, currently unused endpoint designed to verify share recipients. This endpoint could be exploited by an attacker to make the Nextcloud server proxy arbitrary requests to other internal or external servers. SSRF vulnerabilities typically allow attackers to bypass network restrictions, access internal services, or perform reconnaissance by leveraging the trust relationship of the vulnerable server within its network environment. In this case, the vulnerable endpoint was removed in the fixed versions of Nextcloud Server and Enterprise Server, indicating that no direct patch or workaround is available for affected versions other than upgrading. The CVSS v3.1 base score is 4.3, reflecting a medium severity rating. The vector indicates the attack requires adjacent network access (AV:A), has low attack complexity (AC:L), requires no privileges (PR:N), no user interaction (UI:N), and impacts availability only (A:L) without affecting confidentiality or integrity. There are no known exploits in the wild at the time of publication. This vulnerability is classified under CWE-918, which covers SSRF issues where an attacker can induce the server to make HTTP requests to arbitrary destinations. The risk primarily lies in the potential for attackers to leverage the server as a proxy to reach internal services or external targets that would otherwise be inaccessible, potentially leading to further exploitation or denial of service conditions.

For European organizations using Nextcloud Server or Enterprise Server in the affected versions, this SSRF vulnerability poses a risk of internal network reconnaissance and potential denial of service. Since Nextcloud is often deployed in enterprise and governmental environments to manage sensitive data, an attacker exploiting this vulnerability could use the server to access internal-only services or cloud infrastructure components that are not exposed externally. This could lead to exposure of internal network topology or enable pivoting attacks. Although the vulnerability does not directly compromise confidentiality or integrity, the availability impact could disrupt critical cloud services, affecting business continuity. Additionally, SSRF can sometimes be chained with other vulnerabilities to escalate attacks. Given the widespread adoption of Nextcloud in Europe, especially among public sector entities and privacy-conscious organizations, the vulnerability could be leveraged in targeted attacks against high-value infrastructure. The lack of known exploits reduces immediate risk, but the presence of an unprotected proxy endpoint is a significant concern for organizations with sensitive internal networks.

The primary mitigation is to upgrade Nextcloud Server or Enterprise Server to versions 28.0.13, 29.0.10, 30.0.3 or later, where the vulnerable endpoint has been removed. Since no workarounds are available, patching is critical. Organizations should audit their Nextcloud deployments to identify affected versions and prioritize updates. Network-level controls can be implemented to restrict outbound HTTP requests from Nextcloud servers to only trusted destinations, limiting the potential impact of SSRF exploitation. Additionally, monitoring and logging HTTP requests originating from Nextcloud servers can help detect anomalous proxying behavior. Employing web application firewalls (WAFs) with SSRF detection rules may provide some protection, although this is not a substitute for patching. Finally, organizations should review internal network segmentation to minimize the exposure of sensitive services that could be targeted via SSRF.