CVE-2025-3412

Name of the Vulnerable Software and Affected Versions: mymagicpower AIAS 20250308

Description: A critical issue was found in mymagicpower AIAS, affecting an unknown function of the file 2 training platform/train-platform/src/main/java/top/aias/training/controller/InferController.java. The manipulation of the url argument leads to server-side request forgery, allowing for remote attacks. The exploit has been publicly disclosed and may be used. The vendor was contacted about this disclosure but did not respond.

Recommendations: As a temporary workaround, consider restricting access to the vulnerable InferController.java function until a patch is available. Avoid using the url argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.