CVE-2025-59951 is a critical security vulnerability affecting Termix, a web-based server management tool that provides SSH terminal access, tunneling, and file editing. The vulnerability is rooted in the official Docker image for Termix versions 1.5.0 and below, which uses an Nginx reverse proxy configuration that causes the backend application to incorrectly identify the client IP address. Specifically, when the backend calls req.ip, it receives the proxy's IP instead of the actual client IP, causing the isLocalhost function to always return true. This logic flaw bypasses authentication checks for the /ssh/db/host/internal endpoint, which stores sensitive SSH host credentials such as IP addresses, usernames, and passwords. As a result, attackers can directly access this endpoint without any login or authentication, exposing critical secrets that can be leveraged to compromise managed servers. The vulnerability is classified under CWE-348 (Use of Less Trusted Source) and CWE-284 (Improper Access Control). The CVSS 4.0 score is 9.2 (critical), reflecting the ease of exploitation (no authentication or user interaction required), the high impact on confidentiality, and the broad scope of affected systems. Although no known exploits are currently reported in the wild, the severity and nature of the flaw make it a prime target for attackers. The issue is resolved in Termix version 1.6.0, which corrects the IP detection logic and enforces proper authentication for sensitive endpoints. Users deploying Termix via Docker or using reverse proxy setups should prioritize upgrading to the patched version and auditing their configurations to prevent unauthorized access.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of server management credentials. Exposure of SSH host information can lead to unauthorized access to critical infrastructure, data breaches, lateral movement within networks, and potential full system compromise. Organizations relying on Termix for managing multiple servers, especially in sectors like finance, healthcare, and government, face heightened risks due to the sensitive nature of their data and regulatory requirements such as GDPR. The ease of exploitation without authentication increases the likelihood of automated scanning and attacks, potentially resulting in widespread compromise. Additionally, the use of Docker and reverse proxies is common in modern European IT environments, amplifying the threat surface. Failure to patch or mitigate this vulnerability could lead to operational disruptions, reputational damage, and legal consequences under European data protection laws.

1. Upgrade Termix installations to version 1.6.0 or later immediately to apply the official fix addressing the IP detection and authentication bypass. 2. Review and harden reverse proxy configurations, ensuring that the backend correctly identifies client IP addresses, for example by properly setting and validating X-Forwarded-For headers. 3. Implement network segmentation and access controls to restrict access to Termix management interfaces only to trusted internal networks or VPNs. 4. Enable logging and monitoring on Termix endpoints, especially /ssh/db/host/internal, to detect any unauthorized access attempts. 5. Avoid using the official Docker image without customization; consider building images with enhanced security configurations and minimal privileges. 6. Conduct regular audits of stored SSH credentials and rotate passwords or keys if exposure is suspected. 7. Employ multi-factor authentication and additional layers of access control around server management tools. 8. Educate DevOps and security teams about the risks of relying on less trusted sources for client identification in proxy environments.