PT-2025-46685 · Xxl-Api · Xxl-Api

Published

2025-11-12

Updated

2025-12-04

CVE-2025-60645

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions xxl-api version 1.3.0

Description A Cross-Site Request Forgery (CSRF) exists in xxl-api version 1.3.0. This allows attackers to add users to the management module by sending a specially crafted GET request. The attack leverages a lack of proper CSRF protection. The API endpoint used in the attack is not specified. The vulnerable parameter is not specified. The function involved in the attack is not specified.

Recommendations Apply updates to address the issue in xxl-api version 1.3.0. As a temporary workaround, consider implementing CSRF protection mechanisms, such as synchronizer tokens, to mitigate the risk of exploitation.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2025-60645

Affected Products

Xxl-Api

PT-2025-46685 · Xxl-Api · Xxl-Api

CVE-2025-60645

Weakness Enumeration

Related Identifiers

Affected Products

References · 8