Login Sign Up

CVE-2025-60833

6.5 MEDIUM
Remote Code Execution SSRF XXE

📋 TL;DR

This XML External Entity (XXE) vulnerability in the uzy-ssm-mall e-commerce platform allows attackers to execute arbitrary code by sending specially crafted XML data to the /mall/wxpay/pay endpoint. It affects version 1.1.0 of the software, potentially compromising systems running this vulnerable version.

💻 Affected Systems

Products:
  • uzy-ssm-mall
Versions: v1.1.0
Operating Systems: Any OS running the vulnerable software
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the WeChat payment integration component specifically.

📦 What is this software?

Uzy Ssm Mall by Ghostxbh

View all CVEs affecting Uzy Ssm Mall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, data exfiltration, and complete control over the affected server.

🟠

Likely Case

Server-side request forgery (SSRF), file disclosure from the server, and potential denial of service.

🟢

If Mitigated

Limited impact with proper XML parsing configuration and input validation in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires sending crafted XML to the vulnerable endpoint, but no public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.1.1 or later

Vendor Advisory: https://github.com/ChangeYourWay/post/blob/main/uzy-ssm-mall.md

Restart Required: No

Instructions:

1. Update to v1.1.1 or later version of uzy-ssm-mall. 2. Replace the vulnerable XML parser with a secure configuration that disables XXE processing. 3. Validate and sanitize all XML input before processing.

🔧 Temporary Workarounds

Disable XXE in XML Parser

all

Configure the XML parser to disable external entity processing

Set XML parser properties: FEATURE_SECURE_PROCESSING = true, DISALLOW_DOCTYPE_DECL = true

Input Validation Filter

all

Implement strict input validation to reject XML containing DOCTYPE declarations

Add input filter to reject requests containing '<!DOCTYPE' or '<!ENTITY' patterns

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) with XXE protection rules
  • Block or restrict access to the /mall/wxpay/pay endpoint

🔍 How to Verify

Check if Vulnerable:

Test by sending XML with external entity declaration to /mall/wxpay/pay endpoint and checking for file disclosure or SSRF behavior

Check Version:

Check package.json or project configuration for version number

Verify Fix Applied:

Attempt the same XXE payload after patching; it should be rejected or processed safely without external entity resolution

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML payloads in request logs
  • Requests containing DOCTYPE or ENTITY declarations
  • Unexpected outbound connections from the application server

Network Indicators:

  • HTTP requests to internal services from the application server
  • Unusual file retrieval patterns

SIEM Query:

source="application_logs" AND ("<!DOCTYPE" OR "<!ENTITY" OR "SYSTEM")

📊 Metadata

CVE ID: CVE-2025-60833
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-91
EPSS Score: 0.13% exploit probability (32.6th percentile)
Published: October 8, 2025
Last Updated: October 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60833, you might also want to check these:

CVE-2019-19450 9.8

CVE-2019-19450 is a critical remote code execution vulnerability in ReportLab's paraparser module. A...

Same vulnerability type (CWE-91)
CVE-2020-29128 9.8

CVE-2020-29128 is an XML External Entity (XXE) vulnerability in petl versions before 1.68 that allow...

Same vulnerability type (CWE-91)
CVE-2021-38948 9.1

IBM InfoSphere Information Server 11.7 has an XML External Entity Injection (XXE) vulnerability that...

Same vulnerability type (CWE-91)