Critical authentication bypass flaw in Termix Docker image exposes SSH credentials
Take action: If you're using Termix Docker images, upgrade to version 1.7.0 because your SSH credentials can easily be stolen. Until you upgrade, make sure Termix is not exposed to untrusted networks or the internet, or modify the configuration to use X-Real-IP header instead of relying only on req.ip or X-Forwarded-For headers.
Learn More
Termix is reporting a critical authentication bypass vulnerability in its official Docker image that allows unauthorized access to sensitive SSH configuration data without any authentication.
Termix is an open-source, self-hosted server management platform that provides web-based SSH terminal access, tunneling capabilities, and remote file management through a centralized interface. Essentially, it's a jump host server. The platform's design allows administrators to manage multiple servers and infrastructure components from a single intuitive dashboard.
The vulnerability is tracked as CVE-2025-59951 (CVSS score 9.2) and is caused by a misconfiguration in the Nginx reverse proxy setup that causes the backend to misidentify all incoming requests as originating from localhost, effectively bypassing authentication controls for critical endpoints.
The Termix Docker image is configured with an Nginx reverse proxy that forwards all traffic to the Termix backend service running at 127.0.0.1:8081. Although Nginx properly sets proxy headers such as X-Real-IP and X-Forwarded-For, the Termix backend code relies exclusively on the req.ip method to determine the client's IP address. Since Nginx and Termix run in the same container environment, req.ip consistently returns the proxy's address (127.0.0.1) rather than the actual client IP. This causes the backend's isLocalhost validation function to always evaluate as true, granting unrestricted access to sensitive endpoints that should require authentication.
The most critical impact occurs at the /ssh/db/host/internal endpoint, which stores complete SSH host configuration information. Any attacker with network access to a vulnerable Termix instance can send a simple GET request to this endpoint and retrieve a database of SSH credentials without providing any login credentials or authentication tokens.
Affected versions of Termix include all Docker releases from release-0.1.1-tag through release-1.6.0-tag. Organizations using the official Docker image, custom images built from the official Dockerfile, or deployments utilizing reverse proxy functionality with similar configurations are vulnerable to this attack.
Security researchers confirmed that vulnerable instances can be easily identified through network asset scanning platforms, and the vulnerability can be reliably reproduced in standard deployment configurations. In typical deployments where the Termix service runs inside a virtual machine, host machines can directly access the vulnerable endpoint without any authentication barrier.
Termix has released version 1.7.0 (release-1.7.0-tag) which patches this vulnerability. Organizations should immediately upgrade to this patched version to secure their deployments. As a temporary mitigation for organizations unable to immediately upgrade, administrators should modify the backend validation logic to use the X-Real-IP header instead of relying only on req.ip or X-Forwarded-For headers.
