Hi all, quick heads-up. I disclosed an SSRF vulnerability in nym-node back in March that affects every exit gateway running nym-node <= 1.30.0. The bug let any mixnet user reach localhost and link-local services on the gateway (cloud metadata, sshd, etc.) via the SOCKS5 client.
Patched in v1.31.0 (release nym-binaries-v2026.9-venaco). If you’re operating an exit gateway and haven’t upgraded yet, please do.
Full write-up: zmain.info - Developer & Security Researcher