CVE-2025-10278 Overview
CVE-2025-10278 is an improper authorization vulnerability [CWE-266] in YunaiV ruoyi-vue-pro, an open-source rapid development platform. The flaw affects versions up to 2025.09 and resides in the /crm/contact/transfer endpoint. Authenticated attackers can manipulate the ids and newOwnerUserId parameters to reassign CRM contact ownership without proper authorization checks. The exploit has been publicly disclosed, and the vendor did not respond to disclosure attempts. The vulnerability is exploitable remotely over the network.
Critical Impact
Authenticated remote attackers can transfer ownership of arbitrary CRM contacts by abusing the /crm/contact/transfer endpoint, undermining data integrity and confidentiality within the CRM module.
Affected Products
- YunaiV ruoyi-vue-pro versions up to and including 2025.09
- Deployments exposing the CRM module endpoints to authenticated users
- Forks or downstream projects reusing the unpatched /crm/contact/transfer handler
Discovery Timeline
- 2025-09-12 - CVE-2025-10278 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-10278
Vulnerability Analysis
The vulnerability resides in the CRM contact transfer functionality of ruoyi-vue-pro. The /crm/contact/transfer endpoint accepts an ids parameter identifying target contacts and a newOwnerUserId parameter specifying the new owner. The handler fails to verify that the calling user holds the required permissions over the targeted contact records. Any authenticated low-privilege user can therefore reassign ownership of records they do not own.
The weakness maps to [CWE-266] Incorrect Privilege Assignment. The EPSS probability for exploitation is 0.091%. The exploit details have been published through VulDB and a related CNBlogs security post.
Root Cause
The transfer handler enforces authentication but does not perform record-level authorization. Specifically, the controller skips the data permission check that should validate whether the requesting user owns the records referenced by ids or has administrative scope across the CRM module. Without this check, the underlying service updates the owner_user_id column for any record identifier supplied.
Attack Vector
The attack requires network access and a valid low-privilege account. An attacker authenticates to the ruoyi-vue-pro instance, enumerates or guesses CRM contact identifiers, and issues a request to /crm/contact/transfer with the harvested ids and a chosen newOwnerUserId. The server completes the ownership change without validating the requester's rights over the referenced contacts. The vulnerability description and proof-of-concept indicators are referenced in the VulDB Entry #323648 and the CNBlogs Security Post.
Detection Methods for CVE-2025-10278
Indicators of Compromise
- Unexpected HTTP POST requests to /crm/contact/transfer originating from low-privilege user sessions
- CRM audit log entries showing owner_user_id changes on contacts not previously associated with the requesting user
- Bulk ids parameter values referencing contacts spanning multiple owners in a single request
- Repeated transfer requests from a single account within a short window, suggesting enumeration
Detection Strategies
- Inspect application access logs for /crm/contact/transfer calls and correlate the authenticated user with the prior owner of each transferred record
- Alert when the count of contacts transferred by a non-administrator account exceeds normal business activity
- Compare newOwnerUserId values against expected workflow approvals from the CRM business process
Monitoring Recommendations
- Forward ruoyi-vue-pro application and database audit logs to a centralized SIEM for correlation against user role data
- Track baseline patterns for CRM ownership changes and alert on deviations by user, time of day, and record volume
- Monitor authentication events for newly created or dormant accounts that suddenly invoke CRM transfer endpoints
How to Mitigate CVE-2025-10278
Immediate Actions Required
- Restrict access to the /crm/contact/transfer endpoint at the reverse proxy or API gateway until a patched build is deployed
- Review CRM contact ownership history and revert unauthorized transfers identified in audit logs
- Disable or reduce privileges of CRM user accounts that do not require contact transfer capability
- Rotate session tokens and credentials for accounts suspected of abusing the endpoint
Patch Information
No vendor advisory or fixed version has been published for ruoyi-vue-pro at the time of writing. According to the CVE record, the vendor did not respond to disclosure attempts. Operators should track the upstream repository for commits addressing the /crm/contact/transfer authorization logic and consult the VulDB CTI Report #323648 for updates.
Workarounds
- Apply a custom authorization filter in the CRM controller layer that validates the requesting user's ownership or administrative scope over each contact ID in the ids parameter
- Enforce role-based access control at the API gateway by restricting /crm/contact/transfer to designated CRM administrator roles
- Implement database-level row security or stored procedure checks that reject ownership updates where the session user is not the current owner or an administrator
- Enable verbose audit logging for all CRM ownership mutations and review them on a recurring schedule
# Example reverse proxy restriction (nginx)
location = /crm/contact/transfer {
# Limit to internal admin network until patched
allow 10.0.0.0/24;
deny all;
proxy_pass http://ruoyi_vue_pro_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
