CVE-2025-13588 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2025-13588?

CVE-2025-13588 has a CVSS score of 6.3 (MEDIUM). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in lKinderBueno Streamity Xtream IPTV Player versions up to 2.8. Attackers can exploit this vulnerability remotely to make the vulnerable server send unauthorized requests to internal or external systems. All users running affected versions of this IPTV player software are at risk.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in lKinderBueno Streamity Xtream IPTV Player versions up to 2.8. Attackers can exploit this vulnerability remotely to make the vulnerable server send unauthorized requests to internal or external systems. All users running affected versions of this IPTV player software are at risk.

💻 Affected Systems

Products:

lKinderBueno Streamity Xtream IPTV Player

Versions: up to version 2.8

Operating Systems: Any OS running the vulnerable software

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the public/proxy.php file and affects all installations of the affected versions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could use the vulnerable server as a proxy to attack internal systems, access cloud metadata services, perform port scanning, or interact with internal APIs that should not be externally accessible.

🟠

Likely Case

Attackers will use the vulnerability to scan internal networks, access internal web applications, or make requests to external services while hiding their true IP address.

🟢

If Mitigated

With proper network segmentation and egress filtering, the impact is limited to the vulnerable server itself and any directly accessible services.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit has been made public according to the CVE description, and SSRF vulnerabilities are commonly weaponized due to their utility in network reconnaissance and chained attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.1

Vendor Advisory: https://github.com/lKinderBueno/Streamity-Xtream-IPTV-Web-player/releases/tag/v2.8.1

Restart Required: Yes

Instructions:

1. Download version 2.8.1 from the official GitHub repository. 2. Replace the existing installation with the patched version. 3. Restart the web server or application service. 4. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Block access to proxy.php

all

Temporarily disable the vulnerable endpoint by blocking access to the public/proxy.php file

# For Apache: add to .htaccess
<Files "proxy.php">
    Order Allow,Deny
    Deny from all
</Files>
# For Nginx: add to server block
location ~ /public/proxy\.php$ {
    deny all;
    return 403;
}

Implement input validation

all

Add validation to reject URLs that point to internal or restricted addresses

# Example PHP validation snippet
$allowed_domains = ['example.com', 'trusted-service.com'];
$url = $_GET['url'];
$parsed = parse_url($url);
if (!in_array($parsed['host'], $allowed_domains)) {
    http_response_code(403);
    exit('Access denied');
}

🧯 If You Can't Patch

Implement strict network egress filtering to limit what destinations the server can reach
Place the vulnerable server in a DMZ or isolated network segment to limit lateral movement

🔍 How to Verify

Check if Vulnerable:

Check if the file public/proxy.php exists and if the version is 2.8 or earlier. Test by attempting to make the server request an internal resource via the proxy endpoint.

Check Version:

Check the application's version file or configuration, or examine the GitHub commit hash in the codebase.

Verify Fix Applied:

After patching, verify the version is 2.8.1 and test that the proxy.php endpoint properly validates and restricts URL requests.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to proxy.php with various URL parameters
Outbound requests from the server to unexpected internal IP addresses or services
Multiple failed requests to internal endpoints from the server IP

Network Indicators:

Unusual outbound traffic patterns from the server to internal network segments
Port scanning activity originating from the server
Requests to cloud metadata endpoints (169.254.169.254, etc.)

SIEM Query:

source="web_server_logs" AND uri="/public/proxy.php" AND (status=200 OR status=302) | stats count by src_ip, uri, user_agent

📊 Metadata

CVE ID: CVE-2025-13588

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-918

EPSS Score: 0.06% exploit probability (19.7th percentile)

Published: November 24, 2025

Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13588, you might also want to check these: