CVE-2025-59951 is a critical vulnerability affecting Termix, a web-based server management platform developed by LukeGus that provides SSH terminal access, tunneling, and file editing capabilities. The vulnerability exists in Termix versions prior to 1.6.0, particularly when deployed using the official Docker image or custom images built from the official Dockerfile that employ an Nginx reverse proxy. The root cause is improper handling of client IP addresses due to the reverse proxy configuration. Specifically, the backend uses the req.ip method which returns the proxy's IP address instead of the actual client's IP. This causes the isLocalhost function to always return true, mistakenly identifying all incoming requests as originating from localhost. As a result, the /ssh/db/host/internal endpoint, which stores sensitive SSH host information including addresses, usernames, and passwords, becomes accessible without any authentication or login requirements. This effectively bypasses all access controls and exposes critical credentials and system information to unauthenticated attackers. The vulnerability is classified under CWE-348 (Use of Less Trusted Source) and CWE-284 (Improper Access Control). The CVSS 4.0 base score is 9.2 (critical), reflecting the network exploitable nature (AV:N), low attack complexity (AC:L), no privileges or user interaction required (PR:N/UI:N), and high impact on confidentiality (VC:H) with limited impact on integrity (VI:L) and no impact on availability (VA:N). Although no known exploits are reported in the wild yet, the ease of exploitation and the sensitive nature of the exposed data make this a severe threat. The issue is resolved in Termix version 1.6.0 by correcting the IP address handling and enforcing proper authentication on the sensitive endpoint.

For European organizations using Termix versions below 1.6.0, especially those deploying the official Docker image or custom images with Nginx reverse proxies, this vulnerability poses a significant risk. Unauthorized access to the /ssh/db/host/internal endpoint can lead to exposure of SSH credentials, enabling attackers to gain unauthorized SSH access to managed servers. This can result in lateral movement within networks, data exfiltration, and potential full system compromise. Confidentiality is severely impacted due to exposure of sensitive credentials, while integrity may be partially affected if attackers modify SSH configurations or files. Availability impact is minimal directly but could be consequential if attackers disrupt services after gaining access. Given the widespread use of SSH for server management in European enterprises, including critical infrastructure, financial institutions, and government agencies, exploitation could lead to severe operational disruptions and data breaches. The vulnerability also undermines trust in containerized deployments and reverse proxy configurations, which are common in modern European IT environments.

1. Immediate upgrade to Termix version 1.6.0 or later, where the vulnerability is fixed. 2. For organizations unable to upgrade immediately, implement network-level access controls to restrict access to the Termix management interface, ensuring it is not exposed to untrusted networks or the public internet. 3. Modify the Nginx reverse proxy configuration to correctly forward the original client IP address using standard headers such as X-Forwarded-For, and ensure Termix is configured to trust and parse these headers properly. 4. Implement additional authentication and authorization layers in front of Termix, such as VPN access or web application firewalls (WAFs), to prevent unauthorized access to sensitive endpoints. 5. Conduct thorough audits of SSH credentials stored within Termix and rotate any exposed credentials immediately. 6. Monitor network and application logs for unusual access patterns to the /ssh/db/host/internal endpoint or other sensitive resources. 7. Educate DevOps and security teams about the risks of relying on reverse proxy IP detection without proper validation.