CVE-2025-34133
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2025-10-30

Assigner: VulnCheck

Description
Wimi Teamwork versions prior to 7.38.17 contains a cross-site request forgery (CSRF) vulnerability in its API. The API accepts any authenticated request that contains a JSON field named 'csrf_token' without validating the field’s value; only the presence of the field is checked. An attacker can craft a cross-site request that causes a logged-in victim’s browser to submit a JSON POST containing an arbitrary or empty 'csrf_token', and the API will execute the request with the victim’s privileges. Successful exploitation can allow an attacker to perform privileged actions as the victim potentially resulting in account takeover, privilege escalation, or service disruption.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34133
EUVD
EUVD-2025-36201
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wimi wimi_teamwork *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-34133 is a cross-site request forgery (CSRF) vulnerability in Wimi Teamwork versions prior to 7.38.17. The API accepts any authenticated request containing a JSON field named 'csrf_token' without validating its value; it only checks for the presence of the field. An attacker can craft a cross-site request that causes a logged-in victim’s browser to submit a JSON POST with an arbitrary or empty 'csrf_token'. The API then executes the request with the victim’s privileges, allowing the attacker to perform privileged actions as the victim. [2]

Impact Analysis

Exploitation of this vulnerability can allow an attacker to perform privileged actions on behalf of the victim, potentially resulting in account takeover, privilege escalation, or service disruption within the Wimi Teamwork environment. [2]

Detection Guidance

Detection can focus on identifying API requests containing a JSON field named 'csrf_token' without proper validation. Monitoring HTTP POST requests to the Wimi Teamwork API endpoints for the presence of 'csrf_token' fields, especially those with arbitrary or empty values, may indicate exploitation attempts. Network traffic inspection tools like Wireshark or command-line tools such as curl or tcpdump can be used to capture and analyze such requests. For example, using curl to simulate or detect suspicious requests: curl -X POST -H "Content-Type: application/json" -d '{"csrf_token":""}' https://<wimi-api-endpoint>. Additionally, reviewing server logs for POST requests containing 'csrf_token' fields without corresponding validation errors may help detect exploitation attempts. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade Wimi Teamwork to version 7.38.17 or later, where this CSRF vulnerability has been addressed. Until the update can be applied, consider implementing additional security controls such as enforcing stricter validation of the 'csrf_token' field on the server side, restricting API access to trusted origins, and educating users to avoid interacting with untrusted sites while authenticated. Employing network-level protections like Web Application Firewalls (WAF) to detect and block suspicious cross-site requests may also help reduce risk. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34133. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart