Menulux Mobile App CVE-2025-13474
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers.
This issue affects Mobile App: before 9.5.8.
AnalysisAI
Information disclosure in Menulux Mobile App versions prior to 9.5.8 allows remote unauthenticated attackers to access other users' data by manipulating trusted identifiers (IDOR-style flaw). The vulnerability falls under CWE-639 (Authorization Bypass Through User-Controlled Key) and was reported by Turkey's national CERT (USOM). There is no public exploit identified at time of analysis, and EPSS scoring places exploitation probability at just 0.04% (13th percentile).
Technical ContextAI
Menulux is a restaurant management and ordering platform whose mobile application handles customer and order data. The flaw is a CWE-639 issue, in which the application uses an identifier supplied by the client (such as an order ID, user ID, or session reference passed in a request parameter) to look up resources without verifying that the authenticated requester is authorized to access that specific object. This is the classic Insecure Direct Object Reference (IDOR) pattern: predictable or enumerable IDs combined with missing object-level authorization checks, enabling 'exploitation of trusted identifiers' by simply substituting one ID for another in API calls. No CPE strings were provided in the available intelligence, so exact technology stack details (backend framework, API surface) are not confirmed.
Affected ProductsAI
Menulux Software Inc. Mobile App, all versions prior to 9.5.8. No CPE was published with this CVE, and the only references available are the Turkish national CERT advisories at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0457 and https://www.usom.gov.tr/bildirim/tr-25-0457; no direct vendor security advisory URL was provided in the intelligence.
RemediationAI
Upgrade Menulux Mobile App to version 9.5.8 or later, which the advisory identifies as the fixed release (Vendor-released patch: 9.5.8). Consult the USOM advisories at https://www.usom.gov.tr/bildirim/tr-25-0457 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0457 for vendor coordination details. Because the fix is server-side as well as client-side for typical IDOR issues, organizations relying on the Menulux backend should confirm with the vendor that backend authorization checks have been deployed (client-only updates would not remediate an API-level IDOR). As compensating controls until updates are confirmed, monitor backend API access logs for enumeration patterns (sequential ID access, high-volume requests against object-fetch endpoints) and rate-limit those endpoints; if feasible, restrict mobile API access to authenticated sessions with short-lived tokens - the trade-off is potential friction for legitimate users and possible disruption to ordering flows.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today