Plataforma
other
Componente
pik-online
Corregido en
3.1.5
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Pik Online, affecting versions prior to 3.1.5. This flaw allows attackers to manipulate the application into making requests to unintended internal or external resources. Successful exploitation could lead to unauthorized data access or further compromise of the system. The vulnerability has been fixed in version 3.1.5.
The SSRF vulnerability in Pik Online allows an attacker to craft malicious requests that the application will execute on behalf of the server. This can be leveraged to access internal services that are not directly exposed to the internet, such as databases, administrative panels, or other sensitive resources. An attacker could potentially exfiltrate sensitive data, perform reconnaissance on the internal network, or even gain a foothold for further attacks. The blast radius extends to any internal resources accessible via HTTP/HTTPS requests from the Pik Online server.
The vulnerability was publicly disclosed on 2025-08-20. No public proof-of-concept (PoC) code is currently available, but the SSRF nature of the vulnerability makes it likely that one will emerge. The CVSS score of 8.6 indicates a high probability of exploitation if the vulnerability is exposed and accessible. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Pik Online, particularly those with sensitive internal resources accessible via HTTP/HTTPS, are at risk. Environments with older, unpatched Pik Online instances are especially vulnerable. Shared hosting environments where Pik Online is deployed alongside other applications should also be considered at higher risk.
disclosure
Estado del Exploit
EPSS
0.07% (20% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-5260 is to immediately upgrade Pik Online to version 3.1.5 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation and output sanitization to prevent the construction of malicious URLs. Additionally, configure a Web Application Firewall (WAF) to block requests containing suspicious URL patterns or protocols. Monitor Pik Online logs for unusual outbound requests that may indicate exploitation attempts.
Actualice Pik Online a la versión 3.1.5 o superior. Esta actualización corrige la vulnerabilidad SSRF. Consulte el registro de cambios de la aplicación para obtener más detalles sobre la actualización.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-5260 is a Server-Side Request Forgery vulnerability affecting Pik Online versions 0–3.1.5, allowing attackers to make requests on behalf of the server.
If you are using Pik Online versions 0 through 3.1.5, you are potentially affected by this SSRF vulnerability.
Upgrade Pik Online to version 3.1.5 or later to resolve the vulnerability. Implement temporary workarounds like input validation if immediate upgrade isn't possible.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation.
Refer to the official Pik Online advisory for detailed information and updates regarding CVE-2025-5260.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.