CVE-2025-13796
📋 TL;DR
This Server-Side Request Forgery (SSRF) vulnerability in deco-cx apps allows attackers to manipulate the AnalyticsScript function's URL parameter, forcing the server to make unauthorized requests to internal or external systems. Attackers can exploit this remotely to access internal services, perform port scanning, or interact with cloud metadata APIs. All users running deco-cx apps versions up to 0.120.1 are affected.
💻 Affected Systems
- deco-cx apps
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, cloud metadata APIs (exposing credentials), perform port scanning, or use the vulnerable server as a proxy for attacks against other systems.
Likely Case
Information disclosure from internal services, reconnaissance of internal network, or interaction with cloud metadata endpoints.
If Mitigated
Limited impact if network segmentation restricts outbound connections and internal services require authentication.
🎯 Exploit Status
Exploit has been publicly disclosed and manipulation of the URL parameter is straightforward
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.120.2
Vendor Advisory: https://github.com/deco-cx/apps/releases/tag/0.120.2
Restart Required: Yes
Instructions:
1. Update deco-cx apps to version 0.120.2 or later. 2. Restart the application/service. 3. Verify the fix is applied.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict validation of URL parameters to block internal IP addresses and localhost references
Network Restriction
allConfigure firewall rules to restrict outbound connections from the application server
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block SSRF patterns in URL parameters
- Restrict application server's network access to only required external services
🔍 How to Verify
Check if Vulnerable:
Check package.json or application version for deco-cx apps version <= 0.120.1Check Version:
npm list deco-cx/apps or check package.json version fieldVerify Fix Applied:
Confirm version is 0.120.2 or later and test URL parameter validation in AnalyticsScript function📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from application server
- Requests to internal IP addresses or localhost
- Multiple failed connection attempts to various ports
Network Indicators:
- Outbound connections to unexpected destinations from application server
- Port scanning patterns from application server
SIEM Query:
source="application_logs" AND (url_parameter="*://127.0.0.1*" OR url_parameter="*://localhost*" OR url_parameter="*://192.168.*" OR url_parameter="*://10.*" OR url_parameter="*://172.16.*")