ChanCMS
CVE-2025-8133
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as critical has been found in yanyutao0402 ChanCMS up to 3.1.2. This affects the function getArticle of the file app/modules/api/service/gather.js. The manipulation of the argument targetUrl leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. The identifier of the patch is 3ef58a50e8b3c427b03c8cf3c9e19a79aa809be6. It is recommended to upgrade the affected component.
AnalysisAI
Server-side request forgery in ChanCMS up to version 3.1.2 allows authenticated remote attackers to manipulate the targetUrl argument in the getArticle function (app/modules/api/service/gather.js), enabling them to make arbitrary HTTP requests from the affected server. Publicly available exploit code exists, but the CVSS score of 2.1 reflects limited confidentiality, integrity, and availability impact despite network accessibility; exploitation is restricted to authenticated users with low privileges.
Technical ContextAI
This SSRF vulnerability (CWE-918) exists in the article gathering service component where user-supplied targetUrl parameters are passed to HTTP request functions without proper validation or allowlisting. The vulnerability affects the getArticle function in app/modules/api/service/gather.js, which likely uses Node.js HTTP libraries (such as axios, node-fetch, or similar) to retrieve content from URLs supplied by authenticated API clients. The lack of URL scheme validation, hostname filtering, or restrictions on private IP ranges enables attackers to access internal services, metadata endpoints (such as cloud provider credential endpoints), or other network-accessible resources from the server's perspective. CPE cpe:2.3:a:chancms:chancms:*:*:*:*:*:*:*:* confirms the vulnerability spans the entire ChanCMS product line up to and including version 3.1.2.
RemediationAI
Upgrade ChanCMS immediately to version 3.1.3 or later, which includes the patch (commit 3ef58a50e8b3c427b03c8cf3c9e19a79aa809be6 at https://gitee.com/yanyutao0402/ChanCMS/commit/3ef58a50e8b3c427b03c8cf3c9e19a79aa809be6). For organizations unable to upgrade immediately, implement network-level controls by restricting outbound HTTP/HTTPS connections from the ChanCMS application server to only whitelisted external domains and blocking access to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1/8, 169.254.0.0/16) via firewall rules or iptables. Additionally, restrict the API endpoint /api/service/gather (or equivalent) to specific IP addresses or require VPN access if the endpoint is not strictly necessary for public use. These controls mitigate SSRF attack surface but do not eliminate the vulnerability; patching remains mandatory.
Share
External POC / Exploit Code
Leaving vuln.today