3.1.5
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Pik Online, affecting versions prior to 3.1.5. This flaw allows attackers to manipulate the application into making requests to unintended internal or external resources. Successful exploitation could lead to unauthorized data access or further compromise of the system. The vulnerability has been fixed in version 3.1.5.
The SSRF vulnerability in Pik Online allows an attacker to craft malicious requests that the application will execute on behalf of the server. This can be leveraged to access internal services that are not directly exposed to the internet, such as databases, administrative panels, or other sensitive resources. An attacker could potentially exfiltrate sensitive data, perform reconnaissance on the internal network, or even gain a foothold for further attacks. The blast radius extends to any internal resources accessible via HTTP/HTTPS requests from the Pik Online server.
The vulnerability was publicly disclosed on 2025-08-20. No public proof-of-concept (PoC) code is currently available, but the SSRF nature of the vulnerability makes it likely that one will emerge. The CVSS score of 8.6 indicates a high probability of exploitation if the vulnerability is exposed and accessible. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-5260 is to immediately upgrade Pik Online to version 3.1.5 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation and output sanitization to prevent the construction of malicious URLs. Additionally, configure a Web Application Firewall (WAF) to block requests containing suspicious URL patterns or protocols. Monitor Pik Online logs for unusual outbound requests that may indicate exploitation attempts.
Update Pik Online to version 3.1.5 or higher. This update fixes the SSRF vulnerability. See the application's changelog for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-5260 is a Server-Side Request Forgery vulnerability affecting Pik Online versions 0–3.1.5, allowing attackers to make requests on behalf of the server.
If you are using Pik Online versions 0 through 3.1.5, you are potentially affected by this SSRF vulnerability.
Upgrade Pik Online to version 3.1.5 or later to resolve the vulnerability. Implement temporary workarounds like input validation if immediate upgrade isn't possible.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation.
Refer to the official Pik Online advisory for detailed information and updates regarding CVE-2025-5260.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.