Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66735

CVE-2025-66735: Youlai-boot Auth Bypass Vulnerability

CVE-2025-66735 is an authentication bypass flaw in Youlai-boot V2.21.1 that allows non-root users to access root roles due to missing permission checks. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-66735 Overview

CVE-2025-66735 is a broken access control vulnerability in youlai-boot V2.21.1, an open-source Java/Spring Boot rapid development framework. The getRoleForm function in SysRoleController.java does not perform permission checks before returning role configuration data. Authenticated non-root users can directly query and retrieve details of root-level roles by manipulating the role identifier in the request. This exposes privileged role configurations to lower-privileged accounts and weakens the application's role-based access control model.

Critical Impact

Authenticated low-privilege users can read root role definitions, exposing sensitive authorization metadata that supports further privilege escalation reconnaissance.

Affected Products

  • Youlai youlai-boot version 2.21.1
  • Component: youlai:youlai-boot
  • CPE: cpe:2.3:a:youlai:youlai-boot:2.21.1:*:*:*:*:*:*:*

Discovery Timeline

  • 2025-12-22 - CVE-2025-66735 published to NVD
  • 2026-01-06 - Last updated in NVD database

Technical Details for CVE-2025-66735

Vulnerability Analysis

The flaw resides in the getRoleForm endpoint defined in SysRoleController.java. This controller method returns the form data for a given role identifier but omits an authorization check verifying that the requesting user has rights to view the target role. The youlai-boot framework implements a role hierarchy in which the root role holds full administrative privileges. Because the endpoint trusts the supplied role identifier without validating the caller's permission scope, any authenticated session can request the root role record.

The weakness is classified as [CWE-284] Improper Access Control. The disclosed scope affects confidentiality of role configuration data, including assigned menus, permissions, and data scope settings. While the issue does not directly modify data or impair availability, the disclosed metadata is valuable for attackers planning lateral movement within the application.

Root Cause

The controller method retrieves a role by its primary key and returns the associated form object without invoking the framework's permission annotation, such as @PreAuthorize or an equivalent role-scope check. Backend authorization logic relies on annotations consistently applied across endpoints, and this endpoint was missing that guard.

Attack Vector

An attacker first authenticates as any low-privilege user. The attacker then issues a request to the role form endpoint, supplying the identifier of the root role. The server returns the root role's configuration. The attack is reachable over the network, requires low privileges, and needs no user interaction. Details are described in the Gitee Issue Report ICH8FR and a GitHub Gist PoC Example.

Detection Methods for CVE-2025-66735

Indicators of Compromise

  • HTTP requests to the role form endpoint from sessions belonging to non-administrative accounts.
  • Repeated enumeration of sequential role identifiers in application access logs.
  • Responses containing root role metadata served to user accounts outside the administrator group.

Detection Strategies

  • Review application access logs for calls to getRoleForm correlated with the caller's role claim and the requested role identifier.
  • Inspect API gateway or reverse proxy logs for anomalous role identifier values in role management endpoints.
  • Add server-side audit logging that records the requester identity alongside the target role primary key for every role read operation.

Monitoring Recommendations

  • Alert when non-administrative sessions access role administration endpoints.
  • Track HTTP 200 responses on /role/{id}/form style paths grouped by caller role to surface authorization gaps.
  • Forward web application logs to a centralized analytics platform for correlation with authentication events.

How to Mitigate CVE-2025-66735

Immediate Actions Required

  • Apply the upstream fix referenced in the Gitee Commit Changes.
  • Restrict access to role management endpoints to administrator accounts at the reverse proxy or API gateway level until the patch is deployed.
  • Audit existing user accounts and revoke sessions belonging to users who accessed role administration endpoints without authorization.

Patch Information

The maintainer published a fix in commit 9197065102f92264ded814a9d3e9f2a4ff0da121 on Gitee, which adds the missing permission check to the getRoleForm method in SysRoleController.java. Upgrade to a youlai-boot release that includes this commit. Verify the deployed build by inspecting the controller source for the added authorization annotation.

Workarounds

  • Add a server-side permission annotation, such as @PreAuthorize("hasAuthority('sys:role:view')"), to the getRoleForm method as an interim measure.
  • Block direct external access to /api/v1/roles/*/form paths via a web application firewall rule restricted to administrator source identities.
  • Disable or hide the role management module for non-administrator user groups until the patched version is rolled out.
bash
# Configuration example: WAF rule to restrict role form endpoint
# Nginx example limiting access to authenticated admin tokens
location ~ ^/api/v1/roles/[0-9]+/form$ {
    if ($http_x_user_role !~ "^(root|admin)$") {
        return 403;
    }
    proxy_pass http://youlai_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.