Web‑based image galleries are ubiquitous components of modern content‑management systems (CMS). Their convenience often masks complex processing pipelines that handle user‑uploaded files, generate thumbnails, and serve media over CDN networks. When these pipelines are not rigorously hardened, they become attractive targets for attackers seeking to achieve Remote Code Execution (RCE), Server‑Side Request Forgery (SSRF), or Data Exfiltration.
PacificGirls.com is a niche social platform that hosts user‑generated photos and videos aimed at a global audience interested in fashion, lifestyle, and cultural exchange. In January 2025 security researchers from the OSCRG observed anomalous HTTP requests targeting the site’s /gallery/ endpoint, prompting a focused investigation that uncovered a critical vulnerability. The site’s operators responded with a patch on 12 March 2025. pacificgirls com gallery patched
The purpose of this paper is threefold:
The patch was released on 12 March 2025 (version 2.4.7) and consisted of three major components: The patch was released on 12 March 2025 (version 2
| CVE‑ID (internal) | CWE‑ID | Severity (CVSS v3.1) | |-------------------|--------|----------------------| | PG‑2025‑001 | CWE‑502 (Insecure Deserialization) | 9.8 (Critical) | | PG‑2025‑002 | CWE‑1035 (ImageTragick) | 9.3 (Critical) | | PG‑2025‑003 | CWE‑918 (SSRF) | 8.2 (High) | Server‑Side Request Forgery (SSRF)