CVE-2025-10211 – This is a Server-Side Request Forgery (SSRF) vu... (How to Fix)

Q: What is the severity of CVE-2025-10211?

CVE-2025-10211 has a CVSS score of 6.3 (MEDIUM). This is a Server-Side Request Forgery (SSRF) vulnerability in ChanCMS 3.3.0 that allows attackers to manipulate the taskUrl parameter to make the server send unauthorized requests to internal or external systems. The vulnerability affects all ChanCMS 3.3.0 installations with the vulnerable component enabled. Attackers can exploit this remotely without authentication.

📋 TL;DR

This is a Server-Side Request Forgery (SSRF) vulnerability in ChanCMS 3.3.0 that allows attackers to manipulate the taskUrl parameter to make the server send unauthorized requests to internal or external systems. The vulnerability affects all ChanCMS 3.3.0 installations with the vulnerable component enabled. Attackers can exploit this remotely without authentication.

💻 Affected Systems

Products:

yanyutao0402 ChanCMS

Versions: 3.3.0

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the CollectController function at /cms/collect/getArticle. All default installations with this endpoint accessible are vulnerable.

📦 What is this software?

Chancms by Chancms

View all CVEs affecting Chancms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or pivot to internal networks by making the server request internal resources like metadata services, databases, or administrative interfaces.

🟠

Likely Case

Attackers will scan for vulnerable instances and attempt to access cloud metadata services, internal APIs, or use the server as a proxy for attacks against other systems.

🟢

If Mitigated

With proper network segmentation and input validation, the impact is limited to the server making unauthorized external requests, which could still lead to data leakage or reputation damage.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept is publicly available on GitHub. The exploit requires manipulating the taskUrl parameter to trigger SSRF.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UNKNOWN

Vendor Advisory: NONE

Restart Required: No

Instructions:

No official patch is available as the vendor did not respond. Consider upgrading to a newer version if available, or apply workarounds.

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Block or disable access to the /cms/collect/getArticle endpoint

# Add to web server configuration (example for Apache):
<Location "/cms/collect/getArticle">
    Order deny,allow
    Deny from all
</Location>
# For Nginx:
location /cms/collect/getArticle {
    deny all;
    return 403;
}

Input validation filter

all

Implement strict input validation for the taskUrl parameter to only allow expected URLs

# In application code, validate taskUrl before processing:
# Only allow specific domains or patterns
# Reject internal IP addresses, localhost, and metadata services

🧯 If You Can't Patch

Implement network segmentation to restrict the server's outbound connections to only necessary services
Deploy a Web Application Firewall (WAF) with SSRF protection rules to block malicious requests

🔍 How to Verify

Check if Vulnerable:

Test if the /cms/collect/getArticle endpoint accepts arbitrary URLs in the taskUrl parameter and makes external requests

Check Version:

Check CMS version in admin panel or configuration files

Verify Fix Applied:

Verify that the endpoint is no longer accessible or properly validates input by testing with malicious URLs

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from the server to internal IPs or metadata services
Multiple requests to /cms/collect/getArticle with varying taskUrl parameters

Network Indicators:

Server making unexpected HTTP requests to internal network ranges or cloud metadata endpoints

SIEM Query:

source_ip=[server_ip] AND (dest_ip IN [internal_ranges] OR dest_host LIKE "*.metadata.*") AND http_method=GET

📊 Metadata

CVE ID: CVE-2025-10211

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-918

EPSS Score: 3.64% exploit probability (87.6th percentile)

Published: September 10, 2025

Last Updated: September 15, 2025

🔗 References

https://github.com/August829/Yu/blob/main/58ead8e7e08bfb0e7.md Broken Link
https://github.com/August829/Yu/blob/main/58ead8e7e08bfb0e7.md#poc Broken Link
https://vuldb.com/?ctiid.323484 Permissions Required,VDB Entry
https://vuldb.com/?id.323484 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.639779 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10211, you might also want to check these: