CVE-2025-3579 CRITICAL

CVE-2025-3579: Code Injection Vulnerability in AiDex

Vendor Aidex
Product AiDex
Weakness CWE-94 · Code injection
Published April 15, 2025
Last update April 15, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

In versions prior to Aidex 1.7, an authenticated malicious user, taking advantage of an open registry, could execute unauthorised commands within the system. This includes executing operating system (Unix) commands, interacting with internal services such as PHP or MySQL, and even invoking native functions of the framework used, such as Laravel or Symfony. This execution is achieved by Prompt Injection attacks through the /api/<string-chat>/message endpoint, manipulating the content of the ‘content’ parameter.

Key dates

02Disclosure timeline

April 15, 2025 CVE published
April 15, 2025 Record updated