Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access to internal network resources. The flaw lies in the fundamental design of the DNS validation mechanism. A Time-of-Check Time-of-Use (TOCTOU) condition that allows attackers to bypass network isolation and access internal services, cloud metadata endpoints, and protected network segments. The Desktop edition requires no authentication; the Server edition requires only standard authentication. This issue is fixed in version 25.11.1.3086.
The vulnerability lies in a DNS validation mechanism that is susceptible to a Time-of-Check Time-of-Use (TOCTOU) attack — a classic race condition. An attacker can manipulate the DNS response between the moment of address verification and the moment of connection establishment, allowing network isolation to be bypassed (SSRF). This enables access to internal network services, cloud metadata endpoints (e.g., cloud metadata endpoints), and protected network segments. The Desktop version requires no authentication; the Server version requires only standard authentication.
An attacker can gain unauthorized access to internal network resources, protected network segments, and sensitive cloud metadata endpoints, which may lead to disclosure of confidential data, privilege escalation, or further infrastructure compromise.
The Manager software must be immediately updated to version 25.11.1.3086, in which the bug has been fixed. Details are available in the vendor's references (GitHub Security Advisory).
Manager Desktop and Manager Server in versions 25.11.1.3085 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H