DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

GitHub

NukeViet - v4.5.06 - Server Side Request Forgery

By 0xhamy 04:26 AM - September 29th 2025
Type software
Product Environment web
Product Name NukeViet
Product Vendor VINADES.,JSC
Product Version 4.5.06
Product Link https://github.com/nukeviet/nukeviet
Vulnerability Name Server Side Request Forgery
Severity High
CVSS String CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CVSS Score 7.5
CVE ID CVE-2025-8772
Vendor Acknowledgement Yes
Affected digital Assets 3588
Affected Users 358800
Date of Reporting Jan 18, 2025
PoC Exploit -
Credit 0xhamy

Description

The NukeViet admin panel features a file read vulnerability in the upload endpoint (/nukeviet/admin/index.php?language=en&nv=upload), which permits authenticated site moderators to fetch and upload files from arbitrary URLs without restrictions on internal web services. This allows an attacker with limited moderation privileges to exfiltrate sensitive internal files—such as archives or documents—by uploading them to the platform and then downloading them locally.

The attack is somewhat constrained: by default, only non-HTML media types (e.g., images, videos, audio), archives (e.g., tar, zip), or documents (e.g., PDF, DOCX) can be loaded, as text/html is disabled. The "Upload" function effectively downloads the remote resource first before storing it in NukeViet.

Reproduce

  1. Log in to the NukeViet admin panel (/nukeviet/admin/) using an account with at least "Module Administrator" privileges. Access to the "banners" module (or any file-upload-enabled module) is required.

  2. Navigate to the vulnerable upload endpoint:
    /nukeviet/admin/index.php?language=en&nv=upload

  3. From the directory list, select "banners".

  4. Click the "Select upload mode" button and choose "Remote upload".

  5. Enter an internal URL (e.g., http://127.0.0.1:8000/linkedin.tar), add a note if prompted, and click "Upload file".

  6. The system will fetch the file from the internal source, upload it to NukeViet, and make it available for download to the attacker.

Recommendation

  • URL Validation and Whitelisting: Enforce strict server-side checks on remote URLs to block internal (e.g., localhost, private IPs) or unauthorized domains. Implement a whitelist of allowed external sources only.

  • MIME Type Enforcement: Harden MIME type validation to prevent bypassing restrictions, and explicitly disable text/html and other risky types. Scan fetched content for malicious payloads before storage.

  • Privilege Restrictions: Use fine-grained role-based access control (RBAC) to limit remote upload features to essential roles only. Require elevated approvals or multi-factor authentication (MFA) for sensitive operations.

  • General Best Practices: Disable remote uploads entirely if not needed, log all upload attempts for auditing, and keep NukeViet updated. Consider web application firewalls (WAF) to detect anomalous internal fetches.