CVE-2025-58441 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918 affecting KnowageLabs Knowage-Server, an open-source analytics and business intelligence platform. Versions prior to 8.1.37 allow unauthenticated attackers to induce the server to send HTTP requests to arbitrary hosts and paths. The vulnerability is blind, meaning the attacker cannot see the response content, which limits direct data theft but still permits internal network reconnaissance and potential exploitation of other internal services. The flaw arises because the server does not properly validate or restrict URLs or hosts that it can request, enabling attackers to scan internal IP ranges or access internal-only services. The CVSS v4.0 score is 6.3 (medium), reflecting network attack vector, low complexity, no privileges required, no user interaction, and limited confidentiality impact. No known exploits have been reported in the wild. The issue was addressed and patched in Knowage-Server version 8.1.37, which implements proper validation and restrictions on server-side requests. Organizations running vulnerable versions should upgrade promptly to mitigate risks.

For European organizations, this vulnerability poses a risk primarily of internal network reconnaissance and potential lateral movement within corporate environments. Attackers can leverage the SSRF to scan internal IP ranges, discover internal services, and potentially exploit other vulnerabilities in those services. Although direct data exfiltration via this SSRF is limited due to its blind nature, the reconnaissance capability can facilitate more targeted attacks, including privilege escalation or data breaches through chained exploits. Organizations using Knowage-Server in critical infrastructure, finance, healthcare, or government sectors could face increased risk if internal network segmentation and monitoring are insufficient. The vulnerability could also be used to access internal cloud metadata services or management interfaces if present, increasing the attack surface. The medium severity indicates a moderate but non-trivial risk that should be addressed promptly to prevent exploitation.

1. Upgrade Knowage-Server to version 8.1.37 or later, where the vulnerability is patched. 2. Implement strict network segmentation and firewall rules to limit server access to internal resources and sensitive services. 3. Employ egress filtering on the Knowage-Server host to restrict outbound HTTP requests to only trusted destinations. 4. Monitor server logs and network traffic for unusual outbound requests or scanning activity indicative of SSRF exploitation attempts. 5. Use web application firewalls (WAFs) with SSRF detection capabilities to block suspicious request patterns. 6. Conduct internal vulnerability assessments and penetration tests to identify and remediate any chained vulnerabilities that could be exploited following SSRF reconnaissance. 7. Educate security teams about SSRF risks and ensure incident response plans include SSRF scenarios. These measures go beyond generic patching by focusing on network controls, monitoring, and detection to reduce the attack surface and improve resilience.