CVE-2025-10695 | THREATINT

Description

Two unauthenticated diagnostic endpoints allow arbitrary backend-initiated network connections to an attacker‑supplied destination. Both endpoints are exposed with permission => 'any', enabling unauthenticated SSRF for internal network scanning and service interaction. This issue affects OpenSupports: 4.11.0.

PUBLISHED Reserved 2025-09-18 | Published 2025-10-03 | Updated 2025-10-06 | Assigner Fluid Attacks

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status

unaffected

4.11.0

affected

References

fluidattacks.com/advisories/freer third-party-advisory

github.com/opensupports/opensupports product

cve.org (CVE-2025-10695)

nvd.nist.gov (CVE-2025-10695)

Download JSON