CVE-2025-57814 is a Server-Side Request Forgery (SSRF) vulnerability identified in the azu project’s request-filtering-agent library, specifically versions prior to 2.0.0. The request-filtering-agent is an HTTP(S) agent implementation designed to block outbound HTTP requests to private or reserved IP addresses, thereby preventing SSRF attacks that target internal network resources. However, in versions 1.x.x and earlier, a critical flaw exists where HTTPS requests to the localhost IP address (127.0.0.1) bypass the IP filtering mechanism, while HTTP requests are correctly blocked. This means that an attacker who can supply or manipulate URLs processed by an application using this library can force the application to make HTTPS requests to internal services running on localhost, circumventing network-level protections and the library’s intended SSRF defenses. Since internal services often rely on network isolation rather than robust authentication, this vulnerability can expose sensitive internal endpoints, potentially leaking confidential data or enabling further internal attacks. The vulnerability does not require authentication or user interaction and can be exploited remotely if the application accepts user-controlled URLs. The issue has been addressed in version 2.0.0 of the request-filtering-agent, which correctly blocks HTTPS requests to private IP ranges including localhost. The CVSS v4.0 score is 5.5 (medium severity), reflecting the network attack vector, low complexity, no privileges or user interaction required, but limited scope and impact confined to confidentiality and integrity of internal services. No known exploits are reported in the wild as of now.

For European organizations, this SSRF vulnerability poses a moderate risk particularly to web applications and services that utilize the azu request-filtering-agent library versions prior to 2.0.0 and accept user-supplied URLs. Exploitation could allow attackers to access internal HTTPS services running on localhost, potentially exposing sensitive data or enabling lateral movement within the internal network. This is especially critical for organizations relying on network-level isolation as the primary defense for internal services, such as financial institutions, healthcare providers, and government agencies, where internal service confidentiality is paramount. The vulnerability could lead to unauthorized data disclosure or manipulation of internal services, undermining trust and compliance with regulations like GDPR. While the vulnerability does not directly cause denial of service, the breach of internal service confidentiality and integrity can have cascading effects on business operations and security posture.

European organizations should immediately audit their use of the azu request-filtering-agent library and identify any deployments running versions earlier than 2.0.0. The primary mitigation is to upgrade to version 2.0.0 or later, which contains the fix for HTTPS localhost request filtering. Additionally, organizations should implement strict input validation and sanitization on any user-controlled URLs to prevent injection of malicious requests. Network segmentation and zero-trust principles should be enforced to reduce reliance on network-level protections alone. Internal services should require strong authentication and authorization controls rather than relying solely on IP-based restrictions. Monitoring and logging of outbound HTTP(S) requests from applications can help detect anomalous SSRF attempts. Finally, penetration testing and code reviews focusing on SSRF vectors should be conducted to identify and remediate similar vulnerabilities.