← back
CVE-2025-8355

XXE leading to SSRF

CVSS 7.5 HIGHEPSS 6.9%CWE-611
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.5EPSS 6.9%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
08 Aug 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. An attacker can craft malicious XML containing references to internal URLs, this results in a Server-Side Request Forgery (SSRF).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Xerox · FreeFlow Core

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Security-Bulletin-025-013-for-Freeflow-Core-8.0.5.pdf