CVE-2025-63551
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in MetInfo CMS that can be triggered via XML External Entity (XXE) injection. Attackers can exploit this flaw to force the server to make HTTP requests to arbitrary internal or external addresses, potentially exposing sensitive information or enabling network reconnaissance. All MetInfo CMS installations through version 8.1 are affected.
💻 Affected Systems
- MetInfo Content Management System
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network resources, sensitive data exfiltration, or lateral movement to other systems via the server's network position.
Likely Case
Internal network reconnaissance, port scanning of internal services, and retrieval of metadata from cloud services or internal APIs.
If Mitigated
Limited to external network scanning or blocked requests due to network segmentation and egress filtering.
🎯 Exploit Status
Exploitation requires access to the vulnerable endpoint, which is typically in the admin interface. Public proof-of-concept code is available in GitHub repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Check MetInfo official website for security updates. Upgrade to version 8.2 or later when available. Apply patches immediately upon release.
🔧 Temporary Workarounds
Disable XML External Entity Processing
allConfigure the XML parser to disable external entity resolution and DTD processing
For PHP: libxml_disable_entity_loader(true);
Set XML parser configuration: LIBXML_NOENT => false, LIBXML_DTDLOAD => false, LIBXML_DTDATTR => false
Input Validation and Filtering
allImplement strict input validation to reject XML containing external entity declarations
Implement regex filtering for DOCTYPE and ENTITY declarations in XML input
🧯 If You Can't Patch
- Implement network segmentation to restrict the server's outbound network access
- Deploy a Web Application Firewall (WAF) with XXE and SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Test the vulnerable endpoint at /admin/#/webset/?head_tab_active=0 with crafted XML containing external entity references to a controlled server and monitor for outbound requests.Check Version:
Check MetInfo version in admin panel or review /install/install.lock file contentsVerify Fix Applied:
After applying fixes, repeat the vulnerability test and confirm no outbound requests are made to external entities. Verify XML parser configuration disables external entity processing.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from the web server to internal IP ranges
- XML parsing errors containing external entity references
- Requests to the vulnerable /admin/#/webset endpoint with XML payloads
Network Indicators:
- HTTP requests from web server to unusual internal destinations (RFC1918 addresses)
- Requests to metadata services (169.254.169.254, etc.) from web server
SIEM Query:
source="web_server_logs" AND (uri="/admin/#/webset" OR uri CONTAINS "webset") AND (payload CONTAINS "<!ENTITY" OR payload CONTAINS "SYSTEM")