The send_message.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery (CSRF). The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page that, when visited by an authenticated user, will automatically submit a forged POST request to the vulnerable endpoint. This request will be executed with the victim's privileges, allowing the attacker to perform unauthorized actions on their behalf, such as sending arbitrary messages in any chat room.
References
| Link | Resource |
|---|---|
| https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63710/README2.md | Exploit Mitigation Third Party Advisory |
| https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html | Product |
Configurations
History
17 Nov 2025, 18:18
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Pijey
Pijey simple Public Chat Room |
|
| CPE | cpe:2.3:a:pijey:simple_public_chat_room:1.0:*:*:*:*:*:*:* | |
| References | () https://github.com/floccocam-cpu/CVE-Research-2025/blob/main/CVE-2025-63710/README2.md - Exploit, Mitigation, Third Party Advisory | |
| References | () https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html - Product |
12 Nov 2025, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-352 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
10 Nov 2025, 15:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-11-10 15:15
Updated : 2025-11-17 18:18
NVD link : CVE-2025-63710
Mitre link : CVE-2025-63710
CVE.ORG link : CVE-2025-63710
JSON object : View
Products Affected
pijey
- simple_public_chat_room
CWE
CWE-352
Cross-Site Request Forgery (CSRF)