Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10291

CVE-2025-10291: Litemall Authorization Bypass Vulnerability

CVE-2025-10291 is an authorization bypass flaw in Linlinjava Litemall affecting versions up to 1.8.0. Attackers can manipulate the ID argument in WxAftersaleController to gain unauthorized access remotely.

Published:

CVE-2025-10291 Overview

CVE-2025-10291 is an improper authorization vulnerability [CWE-266] in linlinjava litemall versions up to 1.8.0. The flaw resides in the WxAftersaleController handler that services the /wx/aftersale/cancel endpoint. An authenticated remote attacker can manipulate the ID argument to cancel after-sale records belonging to other users. The vendor was contacted prior to disclosure but did not respond, and the exploit has been published.

Critical Impact

Authenticated remote attackers can manipulate the ID parameter on /wx/aftersale/cancel to perform unauthorized actions on other users' after-sale tickets.

Affected Products

  • linlinjava litemall versions up to and including 1.8.0
  • WxAftersaleController component handling /wx/aftersale/cancel
  • Deployments exposing the WeChat (/wx/) API surface

Discovery Timeline

  • 2025-09-12 - CVE-2025-10291 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-10291

Vulnerability Analysis

The vulnerability stems from missing ownership validation in the after-sale cancellation flow. When a request reaches /wx/aftersale/cancel, the controller accepts an ID argument identifying the after-sale ticket to cancel. The handler does not verify that the authenticated user owns the referenced record. Any logged-in user can submit another user's after-sale ID and trigger state changes on records that do not belong to them.

The weakness aligns with [CWE-266: Incorrect Privilege Assignment], where authorization is granted based on authentication alone rather than per-resource ownership checks. The attack is executable over the network with low attacker privileges and no user interaction. Impact is bounded to integrity and availability of after-sale records rather than broader system compromise.

Root Cause

The WxAftersaleController cancellation method trusts the client-supplied ID without correlating it to the session user ID. The service layer issues the cancellation database write directly against the provided primary key. No predicate enforces aftersale.userId == session.userId before the update executes.

Attack Vector

An attacker registers or authenticates to a litemall storefront, obtains a valid session token, then issues an HTTP request to /wx/aftersale/cancel with an ID value enumerated or guessed from sequential identifiers. The server processes the cancellation against the target user's after-sale record. The vulnerability mechanism is described in the published VulDB and Cnblogs analyses; no synthesized exploit code is reproduced here. See VulDB #323717 and the Cnblogs Security Analysis for technical specifics.

Detection Methods for CVE-2025-10291

Indicators of Compromise

  • HTTP POST or GET requests to /wx/aftersale/cancel from a single session targeting multiple non-sequential ID values
  • After-sale records transitioning to a cancelled state without corresponding owner activity in application logs
  • Customer complaints referencing unexpected cancellation of refund or return requests

Detection Strategies

  • Add server-side audit logging that records the requesting user ID alongside the after-sale ID for every /wx/aftersale/cancel invocation, then alert on mismatches
  • Baseline normal request rates to /wx/aftersale/* endpoints and flag sessions that issue cancellations across many distinct ID values
  • Correlate web access logs with database update events on the litemall_aftersale table to identify cross-user modifications

Monitoring Recommendations

  • Forward application and reverse-proxy logs to a centralized log store and retain /wx/aftersale/cancel traffic for trend analysis
  • Monitor for parameter tampering patterns such as rapid ID enumeration in authenticated sessions
  • Track database integrity metrics for the after-sale table, including unexpected status transitions outside business hours

How to Mitigate CVE-2025-10291

Immediate Actions Required

  • Inventory deployments running linlinjava litemall 1.8.0 or earlier and restrict exposure of the /wx/aftersale/cancel endpoint behind authenticated, rate-limited gateways
  • Implement a server-side ownership check that rejects cancellation requests when the session user does not own the referenced ID
  • Enable verbose audit logging on after-sale endpoints to capture potential abuse

Patch Information

No official vendor patch is available. The vendor did not respond to disclosure attempts according to the VulDB report. Operators must apply code-level fixes to WxAftersaleController.cancel to enforce ownership validation, or maintain a forked build with the fix applied. Track the upstream linlinjava/litemall repository for community patches.

Workarounds

  • Add a web application firewall rule that inspects requests to /wx/aftersale/cancel and blocks sessions issuing cancellations against ID values not previously returned to that session
  • Introduce a reverse-proxy filter that verifies the ID parameter against a per-session allowlist derived from prior /wx/aftersale/list responses
  • Disable the after-sale cancellation feature at the routing layer until a code fix is deployed if business processes permit manual handling

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.