CVE-2025-63551
Last modified
CVE-2025-63551 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. EPSS estimates a 0.42% chance of exploitation in the next 30 days.
Description
A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Metinfo | Metinfo | < 8.1 |
References
- https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-InjectionExploit, Third Party Advisory
- https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-Injection/blob/main/README.mdExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-63551?
How severe is CVE-2025-63551?
How do I fix CVE-2025-63551?
Are you affected by CVE-2025-63551?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST