CVE-2025-5522 Overview
A critical improper authorization vulnerability has been identified in the bskms (蓝天幼儿园管理系统 - Blue Sky Kindergarten Management System) developed by jack0240 魏. This vulnerability affects the User Creation Handler component, specifically in the /sa/addUser endpoint. Due to improper authorization controls, unauthenticated remote attackers can potentially create user accounts without proper authentication, leading to unauthorized access to the system.
Critical Impact
Remote attackers can bypass authorization controls to create user accounts, potentially gaining unauthorized access to sensitive kindergarten management data including student and staff information.
Affected Products
- bskms (蓝天幼儿园管理系统) up to commit dffe6640b5b54d8e29da6f060e0493fea74b3fad
- All versions prior to the identified commit (rolling release model)
Discovery Timeline
- June 3, 2025 - CVE-2025-5522 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2025-5522
Vulnerability Analysis
This vulnerability is classified as CWE-266 (Incorrect Privilege Assignment), which falls under the broader category of broken access control vulnerabilities. The affected endpoint /sa/addUser within the User Creation Handler component lacks proper authorization checks, allowing unauthorized users to perform privileged operations.
The vulnerability exists in a kindergarten management system that uses continuous delivery with rolling releases. Due to this development model, specific version numbers are not available, making it challenging to identify precisely which deployments are affected. The commit hash dffe6640b5b54d8e29da6f060e0493fea74b3fad represents the most recent known affected state of the application.
The network-accessible nature of this vulnerability means that any attacker with network access to the application can attempt exploitation without requiring prior authentication or user interaction.
Root Cause
The root cause of this vulnerability is improper implementation of authorization controls in the /sa/addUser endpoint. The application fails to verify that requests to create new user accounts originate from authenticated and authorized administrators. This allows unauthenticated attackers to bypass the intended access control mechanisms and directly invoke user creation functionality.
Attack Vector
The attack can be launched remotely over the network against the /sa/addUser endpoint. An attacker can send crafted HTTP requests to this endpoint to create new user accounts without proper authorization. The exploit has been disclosed publicly, increasing the risk of active exploitation.
The attack requires no authentication or special privileges, and no user interaction is necessary for successful exploitation. This makes the vulnerability particularly dangerous for internet-facing deployments of the affected kindergarten management system.
Detection Methods for CVE-2025-5522
Indicators of Compromise
- Unexpected user account creation entries in application logs
- HTTP requests to /sa/addUser endpoint from unauthorized sources or IP addresses
- New user accounts appearing in the system without corresponding legitimate creation events
- Anomalous access patterns to administrative endpoints from non-administrative sessions
Detection Strategies
- Monitor web server access logs for requests to /sa/addUser endpoint, especially those without valid session tokens
- Implement alerting for user creation events that bypass the normal administrative workflow
- Deploy Web Application Firewall (WAF) rules to detect and block unauthorized requests to the user creation endpoint
- Review authentication logs for patterns indicating authorization bypass attempts
Monitoring Recommendations
- Enable detailed logging for all requests to the /sa/addUser endpoint
- Configure SIEM rules to correlate user creation events with authentication status
- Implement real-time alerting for any user creation activity occurring outside normal business hours or from unexpected geographic locations
- Conduct regular audits of user accounts to identify unauthorized or suspicious entries
How to Mitigate CVE-2025-5522
Immediate Actions Required
- Update the bskms application to the latest available commit from the Gitee repository
- Restrict network access to the /sa/addUser endpoint using firewall rules or reverse proxy configurations
- Implement additional authentication and authorization checks at the application or infrastructure level
- Audit existing user accounts for any unauthorized entries and remove or disable them
Patch Information
Due to the rolling release development model used by this product, no specific version numbers or patch identifiers are available. Organizations using this software should pull the latest code from the official repository and verify that authorization controls have been properly implemented for the User Creation Handler component.
For detailed vulnerability information, refer to the VulDB entry #310958 and the original Gitee Issue Report.
Workarounds
- Implement network-level access controls to restrict access to the /sa/addUser endpoint to trusted IP addresses only
- Deploy a Web Application Firewall (WAF) with rules to require authentication headers for administrative endpoints
- Configure reverse proxy authentication for all requests to administrative paths including /sa/
- Consider temporarily disabling the affected endpoint until a proper fix is applied if user creation can be performed through alternative means
# Example nginx configuration to restrict access to the vulnerable endpoint
location /sa/addUser {
# Allow only from trusted admin network
allow 192.168.1.0/24;
deny all;
# Require authentication header
if ($http_authorization = "") {
return 403;
}
proxy_pass http://backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
