CVE-2025-25379 – A Cross-Site Request Forgery (CSRF) vulnerabili... (How to Fix)

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in 07FLYCMS v1.3.9 allows remote attackers to trick authenticated users into executing unauthorized delete operations via the id parameter in the del.html component. This affects all 07FLYCMS installations running version 1.3.9 with default configurations.

💻 Affected Systems

Products:

07FLYCMS

Versions: v1.3.9

Operating Systems: All operating systems running 07FLYCMS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of 07FLYCMS v1.3.9 are vulnerable. The vulnerability exists in the del.html component's id parameter handling.

📦 What is this software?

07flycms by 07fly

View all CVEs affecting 07flycms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary code execution leading to data destruction, privilege escalation, and full administrative control loss.

🟠

Likely Case

Unauthorized deletion of critical content or data through CSRF attacks against authenticated users.

🟢

If Mitigated

Limited impact with proper CSRF protections, authentication controls, and network segmentation in place.

🌐 Internet-Facing: HIGH - Web applications are inherently internet-facing and CSRF attacks can be launched remotely.

🏢 Internal Only: MEDIUM - Internal users could still be targeted via phishing or malicious internal sites.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to be authenticated. Attackers can craft malicious web pages or emails containing CSRF payloads targeting the del.html endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

1. Check for official patch from 07FLYCMS developers
2. If patch available, download and apply according to vendor instructions
3. Test functionality after patching
4. Monitor for any regressions

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to all state-changing operations, particularly the del.html endpoint

Implement CSRF token generation and validation in your application code

SameSite Cookie Attribute

all

Set SameSite=Strict or SameSite=Lax attributes on session cookies

Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block CSRF attacks targeting the del.html endpoint
Restrict access to administrative functions to specific IP addresses or network segments only

🔍 How to Verify

Check if Vulnerable:

Check if your 07FLYCMS version is 1.3.9 and test if del.html endpoint accepts requests without CSRF tokens when user is authenticated

Check Version:

Check 07FLYCMS configuration files or admin panel for version information

Verify Fix Applied:

Verify that all state-changing operations, especially del.html, require and validate CSRF tokens

📡 Detection & Monitoring

Log Indicators:

Multiple failed delete attempts from same IP
Unusual delete patterns in application logs
Requests to del.html without referrer headers

Network Indicators:

HTTP POST requests to del.html endpoint with suspicious referrers
Cross-origin requests to administrative endpoints

SIEM Query:

source="web_logs" AND (uri="/del.html" OR uri="*del.html*") AND (NOT referrer="*yourdomain.com*")

📊 Metadata

CVE ID: CVE-2025-25379

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 0.15% exploit probability (34.9th percentile)

Published: February 28, 2025

Last Updated: April 15, 2025

🔗 References

https://github.com/R2og/Sun-jialiang/tree/main/9/readme.md Broken Link
https://github.com/R2og/Sun-jialiang/tree/main/9/readme.md Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25379, you might also want to check these: