CVE-2025-10291 Overview
CVE-2025-10291 is an improper authorization vulnerability [CWE-266] in linlinjava litemall versions up to 1.8.0. The flaw resides in the WxAftersaleController handler that services the /wx/aftersale/cancel endpoint. An authenticated remote attacker can manipulate the ID argument to cancel after-sale records belonging to other users. The vendor was contacted prior to disclosure but did not respond, and the exploit has been published.
Critical Impact
Authenticated remote attackers can manipulate the ID parameter on /wx/aftersale/cancel to perform unauthorized actions on other users' after-sale tickets.
Affected Products
- linlinjava litemall versions up to and including 1.8.0
- WxAftersaleController component handling /wx/aftersale/cancel
- Deployments exposing the WeChat (/wx/) API surface
Discovery Timeline
- 2025-09-12 - CVE-2025-10291 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-10291
Vulnerability Analysis
The vulnerability stems from missing ownership validation in the after-sale cancellation flow. When a request reaches /wx/aftersale/cancel, the controller accepts an ID argument identifying the after-sale ticket to cancel. The handler does not verify that the authenticated user owns the referenced record. Any logged-in user can submit another user's after-sale ID and trigger state changes on records that do not belong to them.
The weakness aligns with [CWE-266: Incorrect Privilege Assignment], where authorization is granted based on authentication alone rather than per-resource ownership checks. The attack is executable over the network with low attacker privileges and no user interaction. Impact is bounded to integrity and availability of after-sale records rather than broader system compromise.
Root Cause
The WxAftersaleController cancellation method trusts the client-supplied ID without correlating it to the session user ID. The service layer issues the cancellation database write directly against the provided primary key. No predicate enforces aftersale.userId == session.userId before the update executes.
Attack Vector
An attacker registers or authenticates to a litemall storefront, obtains a valid session token, then issues an HTTP request to /wx/aftersale/cancel with an ID value enumerated or guessed from sequential identifiers. The server processes the cancellation against the target user's after-sale record. The vulnerability mechanism is described in the published VulDB and Cnblogs analyses; no synthesized exploit code is reproduced here. See VulDB #323717 and the Cnblogs Security Analysis for technical specifics.
Detection Methods for CVE-2025-10291
Indicators of Compromise
- HTTP POST or GET requests to /wx/aftersale/cancel from a single session targeting multiple non-sequential ID values
- After-sale records transitioning to a cancelled state without corresponding owner activity in application logs
- Customer complaints referencing unexpected cancellation of refund or return requests
Detection Strategies
- Add server-side audit logging that records the requesting user ID alongside the after-sale ID for every /wx/aftersale/cancel invocation, then alert on mismatches
- Baseline normal request rates to /wx/aftersale/* endpoints and flag sessions that issue cancellations across many distinct ID values
- Correlate web access logs with database update events on the litemall_aftersale table to identify cross-user modifications
Monitoring Recommendations
- Forward application and reverse-proxy logs to a centralized log store and retain /wx/aftersale/cancel traffic for trend analysis
- Monitor for parameter tampering patterns such as rapid ID enumeration in authenticated sessions
- Track database integrity metrics for the after-sale table, including unexpected status transitions outside business hours
How to Mitigate CVE-2025-10291
Immediate Actions Required
- Inventory deployments running linlinjava litemall 1.8.0 or earlier and restrict exposure of the /wx/aftersale/cancel endpoint behind authenticated, rate-limited gateways
- Implement a server-side ownership check that rejects cancellation requests when the session user does not own the referenced ID
- Enable verbose audit logging on after-sale endpoints to capture potential abuse
Patch Information
No official vendor patch is available. The vendor did not respond to disclosure attempts according to the VulDB report. Operators must apply code-level fixes to WxAftersaleController.cancel to enforce ownership validation, or maintain a forked build with the fix applied. Track the upstream linlinjava/litemall repository for community patches.
Workarounds
- Add a web application firewall rule that inspects requests to /wx/aftersale/cancel and blocks sessions issuing cancellations against ID values not previously returned to that session
- Introduce a reverse-proxy filter that verifies the ID parameter against a per-session allowlist derived from prior /wx/aftersale/list responses
- Disable the after-sale cancellation feature at the routing layer until a code fix is deployed if business processes permit manual handling
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

