Is there a public PoC exploit available for CVE-2025-15098?

Yes, a public proof-of-concept exploit is available for CVE-2025-15098. Prioritise patching immediately. EPSS: 0.0%.

YunaiV yudao-cloud CVE-2025-15098

Q: What is the CVSS score of CVE-2025-15098?

CVE-2025-15098 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Server-Side Request Forgery (SSRF) (CWE-918)

2025-12-26 cna@vuldb.com

SSRF

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 03:01 vuln.today

DescriptionCVE.org

A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery in YunaiV yudao-cloud through version 2025.11 allows authenticated remote attackers to manipulate HTTP callback and sync request functionality in the Business Process Management component by controlling the URL, headers, and body parameters, enabling attackers to forge arbitrary server-side requests. The vulnerability carries a low CVSS score (2.1) due to the authenticated requirement (PR:L) and limited scope, but publicly available proof-of-concept code exists; the vendor did not respond to early disclosure notification.

Technical ContextAI

YunaiV yudao-cloud is a microservices-based business process management platform. The vulnerability resides in the BpmHttpCallbackTrigger and BpmSyncHttpRequestTrigger components, which are responsible for making HTTP requests as part of workflow execution. The root cause is CWE-918 (Server-Side Request Forgery), where user-supplied input for URL, HTTP headers, and request body is not properly validated or sanitized before being passed to HTTP request libraries. This allows attackers with authenticated access to manipulate these components into making requests to arbitrary internal or external systems, such as internal APIs, metadata services (169.254.169.254), or other backend systems not intended to be directly accessible.

Affected ProductsAI

YunaiV yudao-cloud versions up to and including 2025.11 are affected, specifically in the Business Process Management module's BpmHttpCallbackTrigger and BpmSyncHttpRequestTrigger functions. No specific CPE identifier was provided in available intelligence, but the product can be identified via Maven repository coordinates or GitHub repository (https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md). Version 2025.12 and later versions should be evaluated for whether the fix has been applied.

RemediationAI

No vendor-released patch identified at time of analysis. The vendor (YunaiV) did not respond to early disclosure notification, suggesting no official fix timeline is available. Immediate mitigation options include: (1) Restrict access to BPM workflow definition and callback configuration features to trusted administrative users only, implementing role-based access control to limit who can edit HTTP callback URLs, headers, and body parameters; (2) Implement network-level egress filtering on the yudao-cloud application server to block outbound requests to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254) and sensitive external hosts; this mitigates data exfiltration but requires careful configuration to avoid breaking legitimate workflows; (3) Deploy a Web Application Firewall (WAF) rule to detect and block BPM requests containing suspicious header or body manipulation patterns (e.g., requests with multiple Host headers or unusual User-Agent strings). Organizations dependent on yudao-cloud should monitor the GitHub repository and VulnDB for community patches or consider forking the project to apply their own fix if exploitation risk is high in their environment.

CVE-2025-15098 vulnerability details – vuln.today

Back