CVE-2025-13796

MEDIUM

deco-cx apps <= 0.120.1 - Server-Side Request Forgery via AnalyticsScript URL Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-13796. PoCs published by adminlove520, 0xcucumbersalad.

AI-analyzed exploit summary The repository contains a functional Proof-of-Concept (PoC) for CVE-2025-13796, demonstrating a Server-Side Request Forgery (SSRF) vulnerability in the 'deco-cx' application. The exploit leverages the 'analyticsScript.ts' endpoint to read arbitrary files via a crafted URL parameter.

Description

A security vulnerability has been detected in deco-cx apps up to 0.120.1. Affected by this vulnerability is the function AnalyticsScript of the file website/loaders/analyticsScript.ts of the component Parameter Handler. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.120.2 addresses this issue. It is suggested to upgrade the affected component.

Exploits (2)

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-13796

View Code ZIP pw:eip

The repository contains a functional Proof-of-Concept (PoC) for CVE-2025-13796, demonstrating a Server-Side Request Forgery (SSRF) vulnerability in the 'deco-cx' application. The exploit leverages the 'analyticsScript.ts' endpoint to read arbitrary files via a crafted URL parameter.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: deco-cx (version unspecified)

No auth needed

Prerequisites: network access to the target server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by 0xcucumbersalad · poc

https://github.com/0xcucumbersalad/CVE-2025-13796-PoC

View Code ZIP pw:eip

This PoC demonstrates a Server-Side Request Forgery (SSRF) vulnerability in deco-cx apps by exploiting the analyticsScript.ts endpoint to read local files (e.g., /etc/passwd). The curl command sends a crafted GET request with a file:// URL to trigger the vulnerability.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: deco-cx apps (version unspecified)

No auth needed

Prerequisites: Network access to the target server · Target server running vulnerable deco-cx apps

MITRE ATT&CK

T1083 - File and Directory Discovery T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Issue Tracking issue-tracking

https://github.com/deco-cx/apps/pull/1360

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.333807

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.333807

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.691837

Release Notes patch

https://github.com/deco-cx/apps/releases/tag/0.120.2

Scores

CVSS v3 6.3

EPSS 0.0027

EPSS Percentile 18.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (3)

deco-cx/apps 0.120.0

deco-cx/apps 0.120.1

deco-cx/apps 0.120.2

Published Dec 01, 2025

Tracked Since Feb 18, 2026