CVE-2025-1927
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Cross Site Request Forgery.This issue affects Online Food Delivery System: through 19122025. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
Authenticated attackers can perform unauthorized state-changing operations in Restajet Online Food Delivery System (all versions through December 19, 2025) by exploiting missing CSRF protections. The vulnerability, disclosed by Turkey's USOM (National Cyber Incident Response Center), carries a CVSS score of 7.1 with high integrity impact, though EPSS modeling indicates only 0.02% exploitation probability (5th percentile). No public exploit identified at time of analysis, and vendor did not respond to disclosure attempts.
Technical Context
This vulnerability stems from CWE-352 (Cross-Site Request Forgery), a weakness in web application session management where the application fails to validate that state-changing requests originated from the legitimate user. The affected product (CPE: cpe:2.3:a:restajet:online_food_delivery_system) is a commercial food ordering platform developed by Restajet Information Technologies Inc. In CSRF attacks, malicious websites or emails trick authenticated users' browsers into submitting forged HTTP requests without proper anti-CSRF tokens or same-site cookie protections. The CVSS vector indicates network-based exploitation (AV:N) with low complexity (AC:L) requiring an authenticated session (PR:L) but no user interaction beyond maintaining the session (UI:N), producing high integrity impact (I:H) with limited confidentiality exposure (C:L) and no availability impact (A:N).
Affected Products
Restajet Online Food Delivery System versions through December 19, 2025 are affected, as confirmed by CPE identifier cpe:2.3:a:restajet:online_food_delivery_system:-:*:*:*:*:*:*:*. The vulnerability disclosure originates from Turkey's National Cyber Incident Response Center (USOM) at https://www.usom.gov.tr/bildirim/tr-25-0469. No specific starting version is documented, suggesting all deployed versions contain this weakness. Additional technical details are available through VulDB advisory https://vuldb.com/?id.337613. Restajet Information Technologies Inc. did not respond to early disclosure attempts, and no vendor security advisory has been published.
Remediation
No vendor-released patch identified at time of analysis, as Restajet Information Technologies Inc. did not respond to vulnerability disclosure. Until vendor remediation becomes available, implement compensating controls: deploy web application firewall rules to enforce anti-CSRF token validation on all state-changing requests (POST, PUT, DELETE operations), configure SameSite=Strict or SameSite=Lax cookie attributes on session cookies to prevent cross-origin request inclusion, implement custom middleware to verify Referer and Origin headers match the application domain, and consider restricting application access to trusted IP ranges via network segmentation. For critical deployments, evaluate migration to alternative food delivery platforms with active security maintenance. Monitor USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0469 and VulDB at https://vuldb.com/?id.337613 for potential vendor updates.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today