GHSA-f8vw-8vgh-22r9

Source

https://github.com/advisories/GHSA-f8vw-8vgh-22r9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-f8vw-8vgh-22r9/GHSA-f8vw-8vgh-22r9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-f8vw-8vgh-22r9

Aliases

CVE-2025-7787

Published

2025-07-18T15:31:57Z

Modified

2025-07-21T13:12:13.821002Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

XXL-JOB is vulnerable to SSRF attacks

Details

A vulnerability, which was classified as critical, was found in Xuxueli xxl-job up to 3.1.1. Affected is the function httpJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Database specific

{
    "github_reviewed": true,
    "severity": "LOW",
    "github_reviewed_at": "2025-07-21T12:26:33Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "nvd_published_at": "2025-07-18T15:15:31Z"
}

References

Affected packages

Maven / com.xuxueli:xxl-job-core

Package

Name: com.xuxueli:xxl-job-core; View open source insights on deps.dev
Purl: pkg:maven/com.xuxueli/xxl-job-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.1.1

Affected versions

1.*

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.7.0

1.7.1

1.7.2

1.8.0

1.8.1

1.8.2

1.9.0

1.9.1

1.9.2

2.*

2.0.0

2.0.1

2.0.2

2.1.0

2.1.1

2.1.2

2.2.0

2.3.0

2.3.1

2.4.0

2.4.1

2.4.2

2.5.0

3.*

3.0.0

3.1.0

3.1.1