Vulnerability Description
A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of sensitive information. The vulnerability may be present in the backend API called by or associated with the path `/admin/#/webset/?head_tab_active=0`, where user-provided XML data is processed.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Metinfo | Metinfo | < 8.1 |
Related Weaknesses (CWE)
References
- https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-InjectionExploitThird Party Advisory
- https://github.com/sh4ll0t/SSRF-Vulnerability-in-MetInfo-via-XXE-Injection/blob/ExploitThird Party Advisory
FAQ
What is CVE-2025-63551?
CVE-2025-63551 is a vulnerability with a CVSS score of 7.5 (HIGH). A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect...
How severe is CVE-2025-63551?
CVE-2025-63551 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-63551?
Check the references section above for vendor advisories and patch information. Affected products include: Metinfo Metinfo.