CVE-2025-66735 Overview
CVE-2025-66735 is a broken access control vulnerability in youlai-boot V2.21.1, a Java-based rapid development framework. The getRoleForm function in SysRoleController.java fails to enforce permission checks before returning role configuration data. Non-root users can directly invoke the endpoint to retrieve information tied to root roles, bypassing the intended role-based access control model. The flaw is tracked under CWE-284: Improper Access Control and is exploitable remotely over the network without user interaction.
Critical Impact
Authenticated low-privilege users can read root role definitions through getRoleForm, exposing privileged role metadata and enabling reconnaissance for further privilege escalation.
Affected Products
- youlai-boot version 2.21.1
- Deployments using the default SysRoleController implementation
- Downstream applications built on the affected youlai-boot release
Discovery Timeline
- 2025-12-22 - CVE-2025-66735 published to NVD
- 2026-01-06 - Last updated in NVD database
Technical Details for CVE-2025-66735
Vulnerability Analysis
The vulnerability resides in the getRoleForm handler of SysRoleController.java within youlai-boot V2.21.1. The controller method exposes role configuration data through a REST endpoint, but it omits the authorization annotation or programmatic permission check normally required for administrative role operations. As a result, any authenticated user holding a valid session token can request role records belonging to the root or superadmin tier.
This weakness is a classic missing function-level authorization issue. The application relies on the assumption that only privileged users will reach the endpoint through the UI, while the underlying API enforces no server-side gate. Attackers who enumerate role identifiers can pull back details on highly privileged roles that should never be visible to standard accounts.
Root Cause
The root cause is the absence of a permission check, such as a Spring Security @PreAuthorize annotation or an equivalent guard within the method body. The vendor commit 9197065102f92264ded814a9d3e9f2a4ff0da121 adds the missing authorization enforcement so role lookups respect the caller's privilege level.
Attack Vector
Exploitation requires network access to the application and a valid low-privilege account. The attacker issues an HTTP request to the role form endpoint, supplying the identifier of a root role. The server returns the role definition without validating that the caller is entitled to view it. Reference details are available in the Gitee issue report and a public code snippet demonstrating the unauthorized access path.
Detection Methods for CVE-2025-66735
Indicators of Compromise
- HTTP requests to the role form endpoint originating from accounts that do not hold administrative roles.
- Repeated sequential requests enumerating role identifiers, particularly low-numbered IDs associated with root or superadmin entries.
- Application logs showing successful responses to getRoleForm calls without a preceding permission validation entry.
Detection Strategies
- Audit application access logs to correlate SysRoleController invocations with the role assigned to the calling principal.
- Deploy web application firewall rules that flag access to administrative role endpoints from sessions lacking elevated privileges.
- Add server-side instrumentation that records the authenticated user identifier and resolved authorities for every call to role management APIs.
Monitoring Recommendations
- Forward youlai-boot application logs and reverse-proxy access logs to a centralized log platform for correlation.
- Alert on response payloads containing root role markers when the requesting account is non-administrative.
- Track anomalous spikes in 200-OK responses to role configuration endpoints from non-admin user agents or IP ranges.
How to Mitigate CVE-2025-66735
Immediate Actions Required
- Upgrade youlai-boot to a version newer than 2.21.1 that includes the vendor fix commit 9197065.
- Restrict network exposure of the youlai-boot administrative endpoints to trusted internal networks until patching is complete.
- Review accounts created in the affected window and rotate credentials for any privileged role exposed through the flaw.
Patch Information
The vendor addressed the issue in commit 9197065102f92264ded814a9d3e9f2a4ff0da121 on the official Gitee repository. The patch adds the missing permission enforcement to the getRoleForm handler. Operators should pull the fixed revision, rebuild the application, and redeploy.
Workarounds
- Add a Spring Security @PreAuthorize("hasAuthority('sys:role:query')") annotation or equivalent guard on the getRoleForm method before rebuilding.
- Place the role management API behind a reverse proxy rule that requires administrator group membership prior to forwarding requests.
- Temporarily disable the role form endpoint in environments where administrative role editing is not required.
# Configuration example: nginx reverse-proxy guard for the role form endpoint
location ~* /api/v1/sys/roles/.*/form$ {
if ($http_x_user_role !~* "^(root|admin)$") {
return 403;
}
proxy_pass http://youlai_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
