CVE-2025-13796 is a server-side request forgery vulnerability identified in the deco-cx apps, specifically in versions 0.120.0 and 0.120.1. The vulnerability resides in the AnalyticsScript function of the website/loaders/analyticsScript.ts file, part of the Parameter Handler component. The issue arises from improper validation or sanitization of the url parameter, which an attacker can manipulate to coerce the server into making arbitrary HTTP requests. These requests can target internal or external systems, potentially exposing sensitive information, bypassing firewalls, or enabling further attacks such as internal network reconnaissance or exploitation of other internal services. The vulnerability can be exploited remotely without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although the impact is rated low on CIA triad components, the ability to perform SSRF can facilitate more severe chained attacks. The vulnerability was publicly disclosed on November 30, 2025, and the vendor has released version 0.120.2 to address the issue. No known active exploits have been reported yet, but public disclosure increases the likelihood of exploitation attempts.

For European organizations, this SSRF vulnerability poses a moderate risk. Organizations using deco-cx apps in affected versions may have their internal networks probed or sensitive internal services accessed by attackers leveraging the SSRF flaw. This can lead to unauthorized data exposure, internal service disruption, or pivoting to more critical systems. The vulnerability's remote exploitability without authentication means attackers can attempt exploitation over the internet, increasing the attack surface. Industries with sensitive data or critical infrastructure relying on deco-cx apps could face increased risk of data breaches or service interruptions. Additionally, SSRF can be used to bypass network access controls, potentially undermining perimeter defenses. The medium CVSS score reflects these risks, but the actual impact depends on the deployment context and network segmentation practices within organizations.

European organizations should immediately upgrade deco-cx apps to version 0.120.2 or later to remediate the vulnerability. In addition to patching, organizations should implement strict input validation and sanitization on all user-controllable parameters, especially URLs used in server-side requests. Network segmentation should be enforced to limit the server's ability to access internal resources unnecessarily. Employing web application firewalls (WAFs) with rules to detect and block SSRF patterns can provide an additional layer of defense. Monitoring and logging of outbound server requests should be enhanced to detect anomalous or unauthorized requests indicative of SSRF exploitation attempts. Organizations should also review and restrict the server's outbound network permissions to only necessary destinations, minimizing the potential impact of SSRF. Regular security assessments and penetration testing targeting SSRF vulnerabilities can help identify residual risks.