CVE-2025-10393 is a server-side request forgery (SSRF) vulnerability identified in the miurla morphic software, specifically affecting versions 0.4.0 through 0.4.5. The vulnerability resides in the fetchHtml function within the /api/advanced-search endpoint, part of the HTTP Status Code 3xx Handler component. SSRF vulnerabilities allow an attacker to manipulate the server into making unintended HTTP requests to internal or external resources. In this case, the flaw enables remote attackers to craft malicious requests that cause the server to fetch arbitrary URLs, potentially accessing internal services or sensitive data not otherwise exposed. The vulnerability does not require user interaction or authentication, and the attack vector is network accessible, making exploitation feasible remotely. The CVSS 4.0 base score is 5.3 (medium severity), reflecting low complexity and no privileges required, but limited impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, a proof-of-concept exploit has been published, increasing the risk of exploitation. The lack of patches at the time of reporting indicates that affected users must rely on mitigation strategies until official fixes are released. SSRF can be leveraged for reconnaissance, bypassing firewalls, accessing internal-only services, or pivoting within a network, which can escalate the threat depending on the environment and network segmentation.

For European organizations using miurla morphic versions 0.4.0 to 0.4.5, this SSRF vulnerability poses a moderate risk. Exploitation could allow attackers to access internal network resources, potentially exposing sensitive information or enabling further lateral movement within corporate networks. This is particularly concerning for organizations with critical internal services that are not externally accessible but reachable via the vulnerable server. The impact on confidentiality is moderate due to possible unauthorized data access; integrity and availability impacts are limited but could escalate if SSRF is chained with other vulnerabilities. Given the remote exploitability without authentication, attackers can attempt exploitation from outside the network perimeter. European entities in sectors such as finance, healthcare, and government, which often rely on internal web services and have strict data protection requirements under GDPR, may face compliance and reputational risks if exploited. However, the medium severity and absence of known active exploitation reduce immediate widespread impact. Still, the presence of a public exploit increases the urgency for mitigation.

1. Immediate mitigation should include implementing strict input validation and sanitization on the fetchHtml function to restrict URLs to trusted domains or internal endpoints. 2. Employ allowlists for outbound requests initiated by the vulnerable endpoint, blocking requests to unauthorized or internal IP ranges. 3. Use network-level controls such as firewall rules or proxy configurations to prevent the server from making arbitrary outbound HTTP requests, especially to sensitive internal services. 4. Monitor logs for unusual outbound requests from the affected endpoint to detect potential exploitation attempts. 5. If possible, temporarily disable or restrict access to the /api/advanced-search endpoint until a vendor patch is available. 6. Stay updated with miurla vendor advisories for patches or official fixes and apply them promptly once released. 7. Conduct internal security assessments to identify and secure internal services that could be targeted via SSRF. 8. Employ Web Application Firewalls (WAFs) with rules designed to detect and block SSRF attack patterns targeting this endpoint.