CVE-2025-57814 is a Server-Side Request Forgery (SSRF) vulnerability identified in the azu project’s request-filtering-agent, an HTTP(S) agent implementation designed to block requests to private or reserved IP addresses. The vulnerability affects all versions prior to 2.0.0. The core issue lies in the agent's handling of HTTPS requests to the localhost IP address 127.0.0.1. While HTTP requests to this address are correctly blocked, HTTPS requests bypass the IP filtering mechanism, allowing an attacker to send crafted HTTPS requests to internal services running on localhost. This bypass undermines the intended SSRF protection, which is critical when applications accept user-controlled URLs and rely solely on network-level restrictions to protect internal services. Exploiting this vulnerability could enable attackers to access sensitive internal endpoints, potentially exposing confidential data or enabling further internal attacks. The vulnerability has a CVSS 4.0 base score of 5.5 (medium severity), reflecting its network attack vector, low attack complexity, no required privileges or user interaction, and limited scope impact. The issue was publicly disclosed on August 25, 2025, and fixed in version 2.0.0 of the request-filtering-agent. No known exploits are currently reported in the wild.

For European organizations, this vulnerability poses a moderate risk, particularly for those using the azu request-filtering-agent in their web applications or microservices architectures. Organizations that accept user-supplied URLs and rely on this library for SSRF protection may inadvertently expose internal HTTPS services running on localhost. This can lead to unauthorized access to sensitive internal APIs, configuration endpoints, or administrative interfaces that are otherwise protected by network segmentation. The impact includes potential data leakage, unauthorized internal reconnaissance, and a stepping stone for further lateral movement or privilege escalation within the network. Given the medium CVSS score and the lack of required authentication or user interaction, exploitation could be automated and executed remotely, increasing the risk for cloud-based and internet-facing applications. However, the absence of known active exploits and the availability of a patch reduce immediate risk if organizations promptly update.

European organizations should immediately upgrade the azu request-filtering-agent to version 2.0.0 or later, where the HTTPS localhost filtering bypass is fixed. Beyond patching, organizations should implement strict input validation and sanitization for any user-controlled URLs to limit SSRF attack vectors. Employing network segmentation and zero-trust principles to restrict access to internal services, even from localhost, can reduce the impact of potential SSRF attacks. Monitoring and logging outbound HTTP(S) requests from applications can help detect anomalous internal requests indicative of exploitation attempts. Additionally, organizations should conduct security reviews of all third-party libraries used in their software stack to identify similar SSRF protections and ensure they are up to date. Finally, applying runtime application self-protection (RASP) or web application firewalls (WAFs) with SSRF detection capabilities can provide an additional layer of defense.