Cyber Resilience

CVE-2025-7787

LowPublic PoC

Published: 18 July 2025

Published
18 July 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 60.3th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7787 is a low-severity SSRF (CWE-918) vulnerability in Xuxueli Xxl-Job. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-7787 is a critical server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Xuxueli xxl-job versions up to 3.1.1. The issue resides in the httpJobHandler function within the file src/main/java/com/xxl/job/executor/service/jobhandler/SampleXxlJob.java. It enables remote manipulation leading to SSRF, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The vulnerability was published on 2025-07-18.

An attacker with low privileges (PR:L), such as an authenticated user, can exploit this remotely over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SSRF, potentially enabling unauthorized requests to internal resources. The exploit has been publicly disclosed and may be used by attackers.

Advisories and details are available in GitHub issue #3749 on the xuxueli/xxl-job repository and VulDB entries (ctiid.316848, id.316848, submit.615741), where the vulnerability was reported and analyzed. Practitioners should review these sources for any patches, workarounds, or upgrade guidance, as no specific mitigation details are outlined in the core CVE data.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in Xuxueli xxl-job up to 3.1.1. Affected is the function httpJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The…

more

exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

SSRF vulnerability enables exploitation of public-facing application (T1190), network service discovery on internal hosts via forged requests (T1046), and facilitates exploitation of vulnerable internal remote services (T1210).

CVEs Like This One

CVE-2025-7788Same product: Xuxueli Xxl-Job
CVE-2024-13924Shared CWE-918
CVE-2026-42860Shared CWE-918
CVE-2025-25785Shared CWE-918
CVE-2024-53705Shared CWE-918
CVE-2026-5418Shared CWE-918
CVE-2026-45082Shared CWE-918
CVE-2026-7065Shared CWE-918
CVE-2025-55150Shared CWE-918
CVE-2025-28091Shared CWE-918

Affected Assets

xuxueli
xxl-job
≤ 3.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces information flow policies that directly block the unauthorized server-initiated requests to internal resources enabled by the SSRF flaw in httpJobHandler.

prevent

Requires validation of all inputs to httpJobHandler so that attacker-supplied URLs cannot be used to trigger server-side requests.

preventdetect

Implements boundary controls that can restrict or monitor the outbound network connections abused by the SSRF exploit.

References