CVE-2025-59951

Description

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The official Docker image for Termix versions 1.5.0 and below, due to being configured with an Nginx reverse proxy, causes the backend to retrieve the proxy's IP instead of the client's IP when using the req.ip method. This results in isLocalhost always returning True. Consequently, the /ssh/db/host/internal endpoint can be accessed directly without login or authentication. This endpoint records the system's stored SSH host information, including addresses, usernames, and passwords, posing an extremely high security risk. Users who use the official Termix docker image, build their own image using the official dockerfile, or utilize reverse proxy functionality will be affected by this vulnerability. This issue is fixed in version 1.6.0.

CVSS v3.1 Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Weakness Type (CWE)

CWE-284 CWE-284

CWE-348 CWE-348

CWE-345 CWE-345

Affected Products

Vendor	Product	Versions
termix	termix	0.1.1 — 1.6.0

References

Advisories & Patches

https://github.com/LukeGus/Termix/pull/221 https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94 https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94

Exploits

https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94 https://github.com/LukeGus/Termix/security/advisories/GHSA-92cw-877q-6r94

Frequently Asked Questions

What is CVE-2025-59951? +

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The official Docker image for Termix versions 1.5.0 and below, due to being configured with an Nginx reverse proxy, causes the backend to retrieve the proxy's IP instead of the client's IP when using the req.ip method. This results in isLocalhost always returning True. Consequently, the /ssh/db/host/internal endpoint can be accessed directly without login or authentication. This endpoint records the system's stored SSH host information, including addresses, usernames, and passwords, posing an extremely high security risk. Users who use the official Termix docker image, build their own image using the official dockerfile, or utilize reverse proxy functionality will be affected by this vulnerability. This issue is fixed in version 1.6.0. It has a CVSS v3.1 base score of 9.1 (CRITICAL).

How severe is CVE-2025-59951? +

CVE-2025-59951 has a CVSS v3.1 score of 9.1 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.

What products are affected by CVE-2025-59951? +

CVE-2025-59951 affects products from termix, specifically: termix. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-59951? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-35402

mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode …

CVE-2026-40866

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in …

CVE-2026-40865

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in …

CVE-2026-40874

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes …

CVE-2026-42278

UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a …

CVE-2026-40867

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in …