CVE-2025-15098

Summary

A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
YunaiVyudao-cloud2025.0affected
YunaiVyudao-cloud2025.1affected
YunaiVyudao-cloud2025.2affected
YunaiVyudao-cloud2025.3affected
YunaiVyudao-cloud2025.4affected
YunaiVyudao-cloud2025.5affected
YunaiVyudao-cloud2025.6affected
YunaiVyudao-cloud2025.7affected
YunaiVyudao-cloud2025.8affected
YunaiVyudao-cloud2025.9affected
YunaiVyudao-cloud2025.10affected
YunaiVyudao-cloud2025.11affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References