CVE-2025-4839

LOW

itwanger paicoding 1.0.0-1.0.3 - Permissive Cross-domain Security Policy in CrossUtil.java

Title source: llm

Description

A vulnerability has been found in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /paicoding-core/src/main/java/com/github/paicoding/forum/core/util/CrossUtil.java. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry

https://vuldb.com/?id.309307

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.309307

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.574826

Exploit exploit

https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250510-02.md

View Exploit ZIP pw:eip

Scores

CVSS v3 3.1

EPSS 0.0025

EPSS Percentile 16.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-942 CWE-346

Status published

Products (4)

itwanger/paicoding 1.0.0

itwanger/paicoding 1.0.1

itwanger/paicoding 1.0.2

itwanger/paicoding 1.0.3

Published May 17, 2025

Tracked Since Feb 18, 2026