CNNVD-202512-4817 Information

CNNVD ID

CNNVD-202512-4817

Related CVE

CVE-2025-15098

• CNNVD Published: 2025-12-26

Description (Chinese)

yudao-cloud是YunaiV个人开发者的一个后台管理系统。 yudao-cloud 2025.11及之前版本存在代码问题漏洞，该漏洞源于组件Business Process Management中BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger函数对参数url/header/body的错误操作，可能导致服务端请求伪造。

Description (English)

Yudao-cloud is a back-office management system for YunaiV personal developers. Yudao-claud 2025.11 and previous versions have a code problem loophole, which stems from the error of the BpmHtttpCallbackTrigger/BpmSyn(tpRequestTrigger) function on the parameter url/header/body of the component Business Production.

Hazard Level

High

Vulnerability Type

代码问题

Affected Vendor

个人开发者

Published

2025-12-26

Last Modified

2026-02-24

References

https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md#proof-of-concept https://vuldb.com/?ctiid.338429 https://vuldb.com/?id.338429 https://vuldb.com/?submit.710170 https://access.redhat.com/security/cve/cve-2025-15098

Patch

https://cloud.iocoder.cn/