Login Sign Up

CVE-2025-60645

6.5 MEDIUM
Authentication Bypass CSRF

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in xxl-api v1.3.0 allows attackers to trick authenticated administrators into executing unauthorized actions. Attackers can add arbitrary users to the management module via crafted GET requests. This affects any deployment of xxl-api v1.3.0 with the management module accessible.

💻 Affected Systems

Products:
  • xxl-api
Versions: v1.3.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments with the management module enabled and accessible to authenticated users.

📦 What is this software?

Xxl Api by Xuxueli

View all CVEs affecting Xxl Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access by adding themselves as users, leading to complete system compromise, data theft, or further privilege escalation.

🟠

Likely Case

Unauthorized users are added to the system with administrative privileges, enabling data access, configuration changes, or lateral movement.

🟢

If Mitigated

With proper CSRF protections, the attack fails, maintaining system integrity and preventing unauthorized user creation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the victim to be authenticated as an administrator and visit a malicious page. The proof-of-concept is publicly available in the GitHub issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/xuxueli/xxl-api/issues/64

Restart Required: No

Instructions:

No official patch is available. Apply workarounds or upgrade to a newer version if one becomes available.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF protection tokens to all state-changing requests in the management module.

Modify source code to include CSRF tokens in forms and validate them on the server.

Restrict Management Module Access

all

Limit access to the management module to trusted IP addresses or networks.

Configure web server (e.g., Apache, Nginx) to restrict access via IP whitelisting.

🧯 If You Can't Patch

  • Monitor for unauthorized user creation in logs and alert on suspicious activity.
  • Implement strong authentication and session management to reduce the window of opportunity for CSRF attacks.

🔍 How to Verify

Check if Vulnerable:

Check if running xxl-api v1.3.0 and if the management module is accessible without CSRF protection.

Check Version:

Check the application version in the web interface or configuration files.

Verify Fix Applied:

Test that CSRF tokens are required for user addition requests and that unauthorized requests are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Log entries showing user creation from unexpected IP addresses or without proper authentication context.

Network Indicators:

  • HTTP GET requests to user addition endpoints without CSRF tokens.

SIEM Query:

source="web_logs" AND (uri="/api/user/add" OR uri CONTAINS "addUser") AND method="GET"

📊 Metadata

CVE ID: CVE-2025-60645
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-352
EPSS Score: 0.03% exploit probability (6.2th percentile)
Published: November 12, 2025
Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60645, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)