Cross-Site Request Forgery Vulnerability in Wimi Teamwork by Wimi
CVE-2025-34133

7HIGH

Key Information:

Vendor

Cloud Solutions Sas

Status
Wimi Teamwork
Vendor
CVE Published:
27 October 2025

What is CVE-2025-34133?

Wimi Teamwork, prior to version 7.38.17, is susceptible to a cross-site request forgery vulnerability within its API. This flaw allows attackers to bypass the verification process of the 'csrf_token' JSON field, as the API only checks for the presence of the token rather than its validity. As a result, an attacker can forge a request that exploits the privileges of a logged-in user, enabling potential account takeovers, privilege escalations, or service disruptions through unauthorized actions performed using the victim's session.

Affected Version(s)

Wimi Teamwork 0 < 7.38.17

References

https://www.wimi-teamwork.com/
product
https://www.wimi-teamwork.com/product-news/release-7-38/
release-notespatch
https://www.vulncheck.com/advisories/wimi-teamwork-csrf
third-party-advisory

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Noa Tchoumak
.