CVE-2025-10989 Overview
CVE-2025-10989 is an improper authorization vulnerability affecting yangzongzhuan RuoYi versions up to 4.8.1. The flaw resides in the /system/role/authUser/selectAll endpoint, where manipulation of the userIds parameter results in improper authorization enforcement [CWE-266]. An authenticated remote attacker with low privileges can exploit the issue over the network without user interaction. Public exploit details have been released, increasing the likelihood of opportunistic attacks against exposed instances. The vendor was contacted prior to disclosure but did not respond, leaving administrators without an official patch path at publication time.
Critical Impact
Authenticated attackers can manipulate the userIds parameter to bypass intended authorization controls on role-to-user assignment operations in RuoYi.
Affected Products
- yangzongzhuan RuoYi versions up to and including 4.8.1
- RuoYi /system/role/authUser/selectAll endpoint
- Deployments exposing the RuoYi administrative system over the network
Discovery Timeline
- 2025-09-26 - CVE-2025-10989 published to the National Vulnerability Database
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-10989
Vulnerability Analysis
RuoYi is a Java-based rapid development platform widely used for building backend administrative systems. The vulnerability affects the role authorization workflow, specifically the selectAll action used to assign users to a role. The endpoint accepts a userIds argument that controls which user identifiers are processed during the operation. Insufficient privilege checks on this parameter allow a low-privileged authenticated user to influence authorization decisions that should be restricted to administrators. The weakness maps to [CWE-266] Incorrect Privilege Assignment, indicating that the application grants effects beyond the caller's intended permission level. Because the exploit has been publicly released and no vendor patch has been confirmed, exposed RuoYi deployments remain at risk of opportunistic abuse.
Root Cause
The root cause is missing or insufficient server-side authorization validation on the /system/role/authUser/selectAll endpoint. RuoYi does not adequately verify that the caller possesses the privileges required to perform role-to-user assignment operations against the supplied userIds values. Authorization decisions appear to rely on parameters that an authenticated client can manipulate.
Attack Vector
The attack vector is network-based and requires low privileges with no user interaction. An attacker authenticates with a low-privileged account, then issues a crafted request to /system/role/authUser/selectAll with manipulated userIds values. Successful exploitation can lead to limited impact on confidentiality, integrity, and availability of role and user association data within the RuoYi application.
No verified public proof-of-concept code is included with this advisory. Refer to the VulDB entry #325912 and the Cnblogs Security Analysis for additional technical context.
Detection Methods for CVE-2025-10989
Indicators of Compromise
- HTTP requests to /system/role/authUser/selectAll originating from low-privileged user sessions
- Unexpected modifications to role-to-user assignments in RuoYi audit logs
- Multiple requests containing varied or enumerated userIds parameter values from a single account
Detection Strategies
- Inspect application logs for access to /system/role/authUser/ endpoints by accounts that do not hold administrative roles
- Correlate userIds parameter values with the authenticated session's authorized scope to identify mismatches
- Deploy web application firewall rules that flag role management endpoints invoked by non-administrative principals
Monitoring Recommendations
- Enable verbose audit logging for all RuoYi role and permission management endpoints
- Forward RuoYi application and access logs to a centralized SIEM for correlation against user role assignments
- Alert on privilege changes that occur outside scheduled administrative maintenance windows
How to Mitigate CVE-2025-10989
Immediate Actions Required
- Restrict network access to RuoYi administrative endpoints to trusted management networks or VPN clients
- Audit existing user-role assignments to identify unauthorized modifications since September 2025
- Disable or revoke unused low-privileged accounts that could be leveraged to authenticate against the endpoint
- Apply server-side authorization checks at a reverse proxy or API gateway in front of RuoYi
Patch Information
No official vendor patch has been published. The vendor did not respond to disclosure attempts according to the VulDB submission #653737. Administrators should track the upstream RuoYi project for future fixes and consider applying custom authorization filters on affected endpoints in the interim.
Workarounds
- Implement a reverse proxy rule that blocks requests to /system/role/authUser/selectAll from non-administrative sessions
- Add an application-level interceptor that re-validates the caller's role before processing the userIds parameter
- Limit RuoYi exposure to the public internet and require multi-factor authentication for all administrative accounts
# Example nginx rule to restrict access to the affected endpoint by source network
location /system/role/authUser/selectAll {
allow 10.0.0.0/8; # internal management network
deny all;
proxy_pass http://ruoyi_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
