Login Sign Up

CVE-2025-10391

6.3 MEDIUM
SSRF

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in CRMEB versions up to 5.6.1. Attackers can manipulate the push_token_url parameter in the testOutUrl function to make the server send unauthorized requests to internal or external systems. All CRMEB installations up to version 5.6.1 are affected.

💻 Affected Systems

Products:
  • CRMEB
Versions: up to 5.6.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected CRMEB versions are vulnerable.

📦 What is this software?

Crmeb by Crmeb

View all CVEs affecting Crmeb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or pivot to internal network resources, potentially leading to full system compromise.

🟠

Likely Case

Attackers scan internal networks, access metadata services, or interact with internal APIs to gather information or perform limited actions.

🟢

If Mitigated

With proper network segmentation and input validation, impact is limited to the application server's network access scope.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available in GitHub repositories. Attack requires access to the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

Upgrade to a version beyond 5.6.1 if available. Since vendor hasn't responded, consider applying manual fixes or workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add validation to ensure push_token_url parameter only accepts expected URLs and blocks internal IP ranges.

Modify app/services/out/OutAccountServices.php to validate URLs before processing

Network Segmentation

all

Restrict outbound network access from the CRMEB server to only necessary external services.

Configure firewall rules to block outbound requests to internal IP ranges from CRMEB server

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block SSRF patterns
  • Monitor outbound network traffic from CRMEB server for unusual requests

🔍 How to Verify

Check if Vulnerable:

Check if CRMEB version is 5.6.1 or earlier. Review app/services/out/OutAccountServices.php for the testOutUrl function.

Check Version:

Check CRMEB version in system configuration or admin panel

Verify Fix Applied:

Test if push_token_url parameter validation prevents requests to internal IPs or unexpected domains.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from CRMEB server
  • Requests to internal IP addresses or metadata services

Network Indicators:

  • Outbound HTTP requests from CRMEB server to unexpected destinations
  • Requests to AWS metadata service (169.254.169.254) or similar

SIEM Query:

source_ip="CRMEB_SERVER_IP" AND dest_ip IN (RFC1918_RANGES, 169.254.169.254, 127.0.0.1)

📊 Metadata

CVE ID: CVE-2025-10391
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-918
EPSS Score: 0.03% exploit probability (8th percentile)
Published: September 14, 2025
Last Updated: October 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10391, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)