A critical vulnerability in the official Termix Docker image puts users at risk of exposing sensitive SSH credentials.
The flaw allows anyone with network access to retrieve stored host addresses, usernames, and passwords without logging in.
How the Vulnerability Works
Termix provides a Docker image that runs a Node.js backend behind an Nginx reverse proxy.
The backend code uses the req.ip method to determine if a request came from the local machine, as reported by Security Researchers.
Because Nginx and Termix run in the same environment, req.ip always returns the proxy’s IP address (127.0.0.1). This makes the application believe every request is from localhost.
| CVE ID | CVE-2025-59951 |
| Package | Termix (Node.js) |
| Affected Versions | release-0.1.1-tag – release-1.6.0-tag |
| Patched Versions | None |
| Severity | Critical |
As a result, anyone can call the /ssh/db/host/internal endpoint and retrieve SSH host details without any authentication.
In a typical deployment, the Termix service resides inside a virtual machine. Attackers can scan network assets to find exposed instances.
By sending a simple GET request to the vulnerable endpoint, they receive a list of SSH hosts saved by the service, including credentials needed to connect to upstream servers.
This vulnerability affects all Termix Docker releases from release-0.1.1-tag through release-1.6.0-tag. No patched version exists at the time of writing.
Systems using the official image or custom images built from the official Dockerfile are vulnerable if they use an Nginx reverse proxy with default settings. Security teams can reproduce the flaw by accessing:
http://:/ssh/db/host/internal With a standard HTTP request, the backend returns complete SSH configuration data. Network scanners and asset mapping platforms make it easy for attackers to locate vulnerable hosts.
Once access is gained, an adversary can move laterally across the network or harvest credentials for further attacks.
Mitigation and Recommendations
To protect against this issue, modify the backend validation logic to use the X-Real-IP header instead of req.ip or the default proxy-forwarded IP.
This change ensures the application accurately identifies the client’s IP address. Administrators should also:
- Restrict access to management endpoints using firewall rules.
- Place Termix behind an authenticated gateway or VPN.
- Monitor logs for unexpected requests to the /ssh/db/host/internal endpoint.
- Rotate any SSH credentials that may have been exposed.
Until a patched Termix Docker image is released, these measures can reduce exposure and limit potential damage.
Users of the Termix Docker image should apply recommended mitigations immediately and await an official patch to ensure SSH credentials remain secure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
