CVE-2025-10393
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-14

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in miurla morphic up to 0.4.5. This impacts the function fetchHtml of the file /api/advanced-search of the component HTTP Status Code 3xx Handler. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-14
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10393
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
miurla morphic 0.4.0
miurla morphic 0.4.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10393 is a Server-Side Request Forgery (SSRF) vulnerability in the miurla morphic application up to version 0.4.5. It occurs in the fetchHtml function of the /api/advanced-search endpoint, specifically in the HTTP Status Code 3xx Handler. The flaw allows an attacker to manipulate the server into making unauthorized requests to internal or external systems by exploiting how the server processes redirected URLs. This can be done remotely without authentication, and an exploit is publicly available. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing attackers to make unauthorized requests from your server to internal services or external targets. This can lead to unauthorized access to internal resources, port scanning or detection of internal network structure, and potentially distributed denial-of-service (DDoS) attacks by repeatedly triggering requests. It affects the confidentiality, integrity, and availability of your system. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring requests to the /api/advanced-search endpoint, especially those triggering HTTP 3xx redirections and causing the server to make additional internal requests. Network or application logs should be inspected for unusual or repeated internal requests originating from this endpoint. Since the exploit involves server-side request forgery, commands like curl or wget can be used to test the endpoint by sending crafted requests that cause redirections and observing if the server follows them internally. For example, using curl with verbose output to detect redirection handling: curl -v -X POST 'http://<target>/api/advanced-search' -d '{"url":"http://internal-service"}' -H 'Content-Type: application/json'. Additionally, network monitoring tools can be used to detect unexpected outbound requests from the server to internal or external addresses triggered by this endpoint. [1, 2]

Mitigation Strategies

Immediate mitigation steps include replacing the affected miurla morphic software version (up to 0.4.5) with an alternative product, as no known mitigations or countermeasures have been identified. Additionally, restricting or filtering outbound requests from the server to prevent unauthorized internal or external requests triggered by the vulnerable endpoint can help reduce risk. Monitoring and blocking suspicious activity related to the /api/advanced-search endpoint and applying network-level controls to limit access to internal services may also help mitigate exploitation until a patch or fix is available. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10393. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart