CVE 10 CRITICAL

Manager-io/Manager: Complete Bypass of SSRF Protection via Time-of-Check Time-of-Use (TOCTOU)_CVE-2025-64180

November 7, 2025 invoker category_cve
10 / 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources. The flaw lies in the fundamental design of the DNS validation mechanism. A Time-of-Check Time-of-Use (TOCTOU) condition that allows attackers to bypass network isolation and access internal services, cloud metadata endpoints, and protected network segments. The Desktop edition requires no authentication; the Server edition requires only standard authentication. This issue is fixed in version 25.11.1.3086.

AI Analysis

A Time-of-Check Time-of-Use (TOCTOU) vulnerability in Manager Desktop and Server versions 25.11.1.3085 and below allows unauthorized access to internal network resources.

Basic Information

ID CVE-2025-64180
Source GitHub_M
Published Nov 7, 2025 at 02:58

Affected Product

Vendor Manager-io
Product Manager
Version < 25.11.1.3086
Affected Versions Manager-io Manager < 25.11.1.3086

CWE Classification

CWE-367 CWE-918

AI Assessment

AI Score 10 / 10
AI Severity Critical
Vendor Manager-io
Product Manager
Version < 25.11.1.3086

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.