VuFind Libraries Face Critical Vulnerabilities – CVE-2024-25737 & CVE-2024-25738
VuFind, the widely used open-source library discovery platform, has issued an urgent security advisory, disclosing two critical vulnerabilities that could expose libraries and their users to serious risks. The flaws, identified as CVE-2024-25737 and CVE-2024-25738, are both rated with a high CVSS score of 9.1, indicating the potential for significant damage if exploited.
Understanding the Threats
-
CVE-2024-25737: Server-Side Request Forgery (SSRF): This vulnerability could allow attackers to trick the VuFind server into fetching content from unauthorized sources, potentially leading to data leaks, website defacement, and even cross-site scripting (XSS) attacks.
-
CVE-2024-25738: Server-Side Request Forgery (SSRF) leading to Remote Code Execution (RCE) in version 9.1: This vulnerability allows remote attackers to overwrite local configuration files, potentially gaining access to the administrator panel or even executing arbitrary code on the server.
Security researcher Rob (@x65534 on GitHub) deserves recognition for identifying and responsibly disclosing these vulnerabilities, allowing the VuFind community to respond swiftly and protect its users.
Who’s Affected?
All VuFind installations from version 2.0 through 9.1 are vulnerable to these flaws. Libraries, educational institutions, and any other organizations using VuFind should take immediate action to protect their systems and data.
Mitigating the Risks
The most effective way to address these vulnerabilities is to upgrade to VuFind 9.1.1 immediately. This version includes patches for both CVE-2024-25737 and CVE-2024-25738. Detailed instructions on how to upgrade can be found on the VuFind website.
For those unable to upgrade immediately, the VuFind team has provided alternative mitigation options, including backported patches for recent releases and manual code modifications for older versions. However, these options may require technical expertise and should be implemented with caution.
