{"id":"CVE-2025-14660","details":"A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipulation of the argument domain causes improper access controls. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been published and may be used. Upgrading to version 1.0.0-alpha.32 addresses this issue. Patch name: 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d. It is recommended to upgrade the affected component.","modified":"2026-02-17T07:57:07.360448Z","published":"2025-12-14T13:15:35.963Z","references":[{"type":"WEB","url":"https://github.com/decocms/mesh/releases/tag/runtime-v1.0.0-alpha.32"},{"type":"WEB","url":"https://vuldb.com/?ctiid.336392"},{"type":"WEB","url":"https://vuldb.com/?id.336392"},{"type":"WEB","url":"https://vuldb.com/?submit.713741"},{"type":"FIX","url":"https://github.com/decocms/mesh/commit/5f7315e05852faf3a9c177c0a34f9ea9b0371d3d"},{"type":"FIX","url":"https://github.com/decocms/mesh/pull/1967"},{"type":"FIX","url":"https://github.com/decocms/mesh/pull/1967#issue-3700934099"},{"type":"FIX","url":"https://github.com/decocms/mesh/pull/1967#issuecomment-3622379237"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/decocms/mesh","events":[{"introduced":"0"},{"fixed":"2ba6478c30c52f640df09098744294380946f4a1"},{"introduced":"0"},{"fixed":"5f7315e05852faf3a9c177c0a34f9ea9b0371d3d"}]}],"versions":["bindings-v1.0.1-alpha.10","bindings-v1.0.1-alpha.11","bindings-v1.0.1-alpha.12","bindings-v1.0.1-alpha.13","bindings-v1.0.1-alpha.14","bindings-v1.0.1-alpha.16","bindings-v1.0.1-alpha.17","bindings-v1.0.1-alpha.18","bindings-v1.0.1-alpha.20","bindings-v1.0.1-alpha.21","bindings-v1.0.1-alpha.22","bindings-v1.0.1-alpha.23","bindings-v1.0.1-alpha.24","bindings-v1.0.1-alpha.3","cli-v0.10.2","cli-v0.10.3","cli-v0.10.4","cli-v0.10.5","cli-v0.10.6","cli-v0.10.7","cli-v0.11.7","cli-v0.11.8","cli-v0.12.0","cli-v0.12.1","cli-v0.12.2","cli-v0.12.3","cli-v0.12.4","cli-v0.13.0","cli-v0.13.1","cli-v0.13.2","cli-v0.14.0","cli-v0.14.1","cli-v0.14.2","cli-v0.15.0","cli-v0.15.1","cli-v0.15.2","cli-v0.15.3","cli-v0.15.4","cli-v0.15.5","cli-v0.15.6","cli-v0.16.0","cli-v0.16.1","cli-v0.16.2","cli-v0.17.0","cli-v0.17.1","cli-v0.17.2","cli-v0.17.3","cli-v0.17.4","cli-v0.17.5","cli-v0.17.6","cli-v0.17.7","cli-v0.18.0","cli-v0.18.1","cli-v0.19.0","cli-v0.19.2","cli-v0.19.3","cli-v0.20.0","cli-v0.20.1","cli-v0.21.0","cli-v0.21.1","cli-v0.21.2","cli-v0.21.3","cli-v0.21.4","cli-v0.21.5","cli-v0.22.0","cli-v0.22.1","cli-v0.22.2","cli-v0.22.3","cli-v0.22.4","cli-v0.22.5","cli-v0.23.0","cli-v0.23.1","cli-v0.23.2","cli-v0.24.2","cli-v0.24.3","cli-v0.24.4","cli-v0.24.5","cli-v0.24.6","cli-v0.25.0","cli-v0.26.0","cli-v0.27.0","cli-v0.28.0","cli-v0.28.1","cli-v0.28.2","cli-v0.28.3","cli-v0.28.4","cli-v0.28.5","create-deco-v1.0.10","create-deco-v1.0.2","create-deco-v1.0.3","create-deco-v1.0.4","create-deco-v1.0.5","create-deco-v1.0.6","create-deco-v1.0.7","create-deco-v1.0.8","create-deco-v1.0.9","create-deco-v1.1.0","create-deco-v1.1.1","create-deco-v1.1.2","create-deco-v1.1.3","mesh-npm-v1.0.0-alpha.1","mesh-npm-v1.0.0-alpha.12","mesh-npm-v1.0.0-alpha.2","mesh-npm-v1.0.0-alpha.3","mesh-npm-v1.0.0-alpha.4","mesh-npm-v1.0.0-alpha.6","mesh-npm-v1.0.0-alpha.8","mesh-npm-v1.0.0-alpha.9","mesh-v0.1.0","mesh-v0.1.0-beta.12","mesh-v0.1.0-beta.13","mesh-v0.1.1","mesh-v0.1.10","mesh-v0.1.11","mesh-v0.1.2","mesh-v0.1.23","mesh-v0.1.24","mesh-v0.1.25","mesh-v0.1.26","mesh-v0.1.27","mesh-v0.1.28","mesh-v0.1.29","mesh-v0.1.3","mesh-v0.1.30","mesh-v0.1.31","mesh-v0.1.32","mesh-v0.1.33","mesh-v0.1.34","mesh-v0.1.35","mesh-v0.1.36","mesh-v0.1.37","mesh-v0.1.4","mesh-v0.1.5","mesh-v0.1.6","mesh-v0.1.7","mesh-v0.1.8","mesh-v0.1.9","mesh-v0.2.1","mesh-v0.2.2","mesh-v0.2.3","mesh-v0.2.4","mesh-v0.2.5","runtime-v1.0.0-alpha.10","runtime-v1.0.0-alpha.11","runtime-v1.0.0-alpha.12","runtime-v1.0.0-alpha.17","runtime-v1.0.0-alpha.18","runtime-v1.0.0-alpha.19","runtime-v1.0.0-alpha.20","runtime-v1.0.0-alpha.21","runtime-v1.0.0-alpha.22","runtime-v1.0.0-alpha.23","runtime-v1.0.0-alpha.24","runtime-v1.0.0-alpha.25","runtime-v1.0.0-alpha.26","runtime-v1.0.0-alpha.27","runtime-v1.0.0-alpha.28","runtime-v1.0.0-alpha.29","runtime-v1.0.0-alpha.30","runtime-v1.0.0-alpha.31","runtime-v1.0.0-alpha.32","runtime-v1.0.0-alpha.33","runtime-v1.0.0-alpha.34","runtime-v1.0.0-alpha.35","runtime-v1.0.0-alpha.36","runtime-v1.0.0-alpha.37","runtime-v1.0.0-alpha.38","runtime-v1.0.0-alpha.39","runtime-v1.0.0-alpha.40","runtime-v1.0.0-alpha.41","runtime-v1.0.0-alpha.5","v1.0.0-alpha.13","v1.0.0-alpha.14","v1.0.0-alpha.15","v1.0.0-alpha.16","v1.0.0-alpha.17","v1.0.0-alpha.18","v1.0.0-alpha.19","v1.0.0-alpha.20","v1.0.0-alpha.21","v1.0.0-alpha.22","v1.0.0-alpha.23","v1.0.0-alpha.24","v1.0.0-alpha.25","v1.0.0-alpha.26","v1.0.0-alpha.27","v1.0.0-alpha.28","v1.0.0-alpha.29","v1.0.0-alpha.30","v1.0.0-alpha.31"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14660.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}