Home

Description

A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipulation of the argument domain causes improper access controls. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been published and may be used. Upgrading to version 1.0.0-alpha.32 addresses this issue. Patch name: 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d. It is recommended to upgrade the affected component.

PUBLISHED Reserved 2025-12-13 | Published 2025-12-14 | Updated 2025-12-15 | Assigner VulDB




MEDIUM: 6.3CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 5.6CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
MEDIUM: 5.6CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
5.1AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Improper Access Controls

Incorrect Privilege Assignment

Product status

1.0.0-alpha.0
affected

1.0.0-alpha.1
affected

1.0.0-alpha.2
affected

1.0.0-alpha.3
affected

1.0.0-alpha.4
affected

1.0.0-alpha.5
affected

1.0.0-alpha.6
affected

1.0.0-alpha.7
affected

1.0.0-alpha.8
affected

1.0.0-alpha.9
affected

1.0.0-alpha.10
affected

1.0.0-alpha.11
affected

1.0.0-alpha.12
affected

1.0.0-alpha.13
affected

1.0.0-alpha.14
affected

1.0.0-alpha.15
affected

1.0.0-alpha.16
affected

1.0.0-alpha.17
affected

1.0.0-alpha.18
affected

1.0.0-alpha.19
affected

1.0.0-alpha.20
affected

1.0.0-alpha.21
affected

1.0.0-alpha.22
affected

1.0.0-alpha.23
affected

1.0.0-alpha.24
affected

1.0.0-alpha.25
affected

1.0.0-alpha.26
affected

1.0.0-alpha.27
affected

1.0.0-alpha.28
affected

1.0.0-alpha.29
affected

1.0.0-alpha.30
affected

1.0.0-alpha.31
affected

1.0.0-alpha.32
unaffected

Timeline

2025-12-13:Advisory disclosed
2025-12-13:VulDB entry created
2025-12-13:VulDB entry last update

Credits

cucumbersalad (VulDB User) reporter

References

vuldb.com/?id.336392 (VDB-336392 | DecoCMS Mesh Workspace Domain api.ts createTool access control) vdb-entry technical-description

vuldb.com/?ctiid.336392 (VDB-336392 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.713741 (Submit #713741 | Deco deco-mesh runtime v1.0.0-alpha.31 Improper Access Controls) third-party-advisory

github.com/decocms/mesh/pull/1967 issue-tracking

github.com/decocms/mesh/pull/1967 issue-tracking

github.com/decocms/mesh/pull/1967 exploit issue-tracking

github.com/...ommit/5f7315e05852faf3a9c177c0a34f9ea9b0371d3d patch

github.com/decocms/mesh/releases/tag/runtime-v1.0.0-alpha.32 patch

cve.org (CVE-2025-14660)

nvd.nist.gov (CVE-2025-14660)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.