DecoCMS Mesh CVE-2025-14660
LOWSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipulation of the argument domain causes improper access controls. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been published and may be used. Upgrading to version 1.0.0-alpha.32 addresses this issue. Patch name: 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d. It is recommended to upgrade the affected component.
AnalysisAI
Improper access controls in DecoCMS Mesh up to 1.0.0-alpha.31 allow remote attackers to manipulate the domain argument in the createTool function of the Workspace Domain Handler, resulting in unauthorized information disclosure. The vulnerability requires high attack complexity and has published exploit code available, though real-world exploitation appears difficult. CVSS score of 2.9 reflects low severity with limited confidentiality impact, while EPSS scoring at 25th percentile suggests minimal real-world exploitation probability.
Technical ContextAI
The vulnerability exists in the Workspace Domain Handler component, specifically within the createTool function located at packages/sdk/src/mcp/teams/api.ts. The root cause is classified as CWE-266 (Improper Privilege Management), indicating the function fails to properly validate or enforce access controls when processing the domain argument. This allows callers to supply arbitrary domain values that bypass intended authorization checks. The DecoCMS Mesh SDK provides API abstractions for workspace and team management; the affected createTool function likely constructs tool instances without adequate domain isolation, enabling lateral access or information leakage across domain boundaries.
Affected ProductsAI
DecoCMS Mesh versions up to and including 1.0.0-alpha.31 are affected. The vulnerable component is the Workspace Domain Handler in the SDK package (packages/sdk/src/mcp/teams/api.ts). No CPE string was provided in the source data; affected software can be identified via GitHub at https://github.com/decocms/mesh.
RemediationAI
Vendor-released patch: upgrade DecoCMS Mesh to version 1.0.0-alpha.32 or later, which addresses the improper access control in the createTool function. The patch is available at https://github.com/decocms/mesh/releases/tag/runtime-v1.0.0-alpha.32 and corresponds to commit 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d. Users should apply this update to all instances of DecoCMS Mesh SDK in use. If immediate patching is not feasible, implement network segmentation to restrict access to the createTool API endpoint or disable workspace domain-switching features until patched, though these controls are not formally recommended by the vendor and may impact functionality.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today