CVE-2025-15098
📋 TL;DR
This CVE describes a server-side request forgery (SSRF) vulnerability in YunaiV yudao-cloud's Business Process Management component. Attackers can manipulate URL, header, or body parameters in BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger functions to make the server send unauthorized requests to internal systems. Organizations using yudao-cloud up to version 2025.11 are affected.
💻 Affected Systems
- YunaiV yudao-cloud
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, or pivot to attack other internal systems by abusing the vulnerable server's network position.
Likely Case
Information disclosure from internal services, potential data exfiltration, or reconnaissance of internal network infrastructure.
If Mitigated
Limited impact if network segmentation restricts vulnerable server's access to sensitive internal resources.
🎯 Exploit Status
Exploit requires access to trigger the vulnerable BPM functions. Public proof-of-concept exists in GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None provided
Restart Required: No
Instructions:
No official patch available. Consider upgrading to versions after 2025.11 if available, or implement workarounds.
🔧 Temporary Workarounds
Input Validation and URL Whitelisting
allImplement strict validation of URL parameters to only allow trusted domains and protocols. Reject URLs pointing to internal IP ranges.
Network Segmentation
allRestrict outbound network access from the vulnerable server to only necessary external services using firewall rules.
🧯 If You Can't Patch
- Disable or restrict access to BpmHttpCallbackTrigger and BpmSyncHttpRequestTrigger functions if not required
- Implement web application firewall (WAF) rules to detect and block SSRF patterns in requests
🔍 How to Verify
Check if Vulnerable:
Check if yudao-cloud version is 2025.11 or earlier and if BPM component with vulnerable functions is enabled. Test with controlled SSRF payloads to internal services.Check Version:
Check application configuration or deployment manifests for yudao-cloud version informationVerify Fix Applied:
Test that URL/header/body manipulation no longer results in unauthorized outbound requests to internal or restricted addresses.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from server to internal IP addresses
- Requests to BPM functions with suspicious URL parameters
Network Indicators:
- Outbound connections from application server to unexpected internal services
- HTTP requests to internal IP ranges from application
SIEM Query:
source="yudao-cloud" AND (url CONTAINS "internal" OR url CONTAINS "localhost" OR url CONTAINS "127.0.0.1" OR url CONTAINS "192.168." OR url CONTAINS "10." OR url CONTAINS "172.16.")