Xuxueli xxl-job CVE-2025-7787
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1Blast Radius
ecosystem impact- 16 maven packages depend on com.xuxueli:xxl-job-core (10 direct, 6 indirect)
Ecosystem-wide dependent count for version 3.1.1.
DescriptionCVE.org
A vulnerability, which was classified as critical, was found in Xuxueli xxl-job up to 3.1.1. Affected is the function httpJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Server-side request forgery in Xuxueli xxl-job up to version 3.1.1 allows authenticated remote attackers to perform SSRF attacks via the httpJobHandler function, enabling access to internal network resources. The vulnerability has a low CVSS score (2.1) due to required authentication and limited confidentiality impact, but publicly available exploit code exists and should be remediated promptly in affected deployments.
Technical ContextAI
xxl-job is a distributed job scheduling and execution platform written in Java. The vulnerability exists in the SampleXxlJob.java file's httpJobHandler function, which handles HTTP requests as part of job execution logic. The root cause is classified as CWE-918 (Server-Side Request Forgery), indicating insufficient validation of URLs or request destinations provided by authenticated users. An attacker with valid credentials can manipulate HTTP requests issued by the job handler to target internal services, bypassing network-level access controls and potentially accessing cloud metadata endpoints, internal APIs, or other protected resources on the same network segment as the xxl-job executor.
RemediationAI
Upgrade to xxl-job version 3.1.2 or later, which contains patches addressing the SSRF vulnerability in httpJobHandler. Users unable to immediately upgrade should implement the following compensating controls: (1) restrict network access to the xxl-job admin console and executor API endpoints using firewall rules or network segmentation, allowing only trusted job definition sources; (2) disable or isolate the httpJobHandler job type entirely if not required for business operations; (3) enforce strong authentication for xxl-job access (move beyond default credentials if deployed); (4) implement outbound filtering on the xxl-job executor network segment to block requests to internal IP ranges (169.254.x.x for metadata services, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) using host-based firewall rules or WAF policies. Each mitigation carries trade-offs: endpoint restrictions may limit legitimate job distribution, handler disabling may break dependent workflows, and egress filtering could block legitimate internal service calls. Patching is strongly preferred. Monitor GitHub issue #3749 and official xxl-job releases for confirmed patched versions.
Share
External POC / Exploit Code
Leaving vuln.today