CVE-2025-66736 Overview
CVE-2025-66736 is an authorization bypass vulnerability in youlai-boot V2.21.1, an open-source Java rapid development framework. The flaw resides in the importUsers function within SysUserController.java, which fails to validate the caller's permissions before processing requests. Authenticated low-privilege users can invoke the user import endpoint and write user records directly into the backing database. The issue is tracked under [CWE-284: Improper Access Control] and affects the integrity of identity data managed by the application.
Critical Impact
Any authenticated regular user can bulk-import arbitrary user accounts into the application database, enabling unauthorized account creation and potential privilege escalation paths.
Affected Products
- youlai-boot V2.21.1
- Deployments built on the youlai-boot V2 branch prior to the fix commit 9197065
- Downstream forks that have not merged the upstream permission check
Discovery Timeline
- 2025-12-22 - CVE-2025-66736 published to NVD
- 2026-01-06 - Last updated in NVD database
Technical Details for CVE-2025-66736
Vulnerability Analysis
The youlai-boot framework exposes administrative user management endpoints through SysUserController.java. Most administrative methods in this controller are guarded by Spring Security @PreAuthorize annotations that restrict invocation to accounts holding the appropriate role. The importUsers method, which accepts an uploaded user list and persists it through the user service layer, is missing this guard. As a result, the endpoint inherits only the platform's baseline authentication requirement and accepts requests from any authenticated session, including low-privilege roles created through normal registration or provisioning flows.
The attacker model is a network-reachable user holding a valid session token. The impact is bounded to integrity of the user table and any downstream identity-aware logic that trusts records originating from that table, including role assignments embedded in the import payload.
Root Cause
The root cause is a missing authorization check on the importUsers handler in SysUserController.java. The annotation that should restrict execution to system administrators was omitted, so the Spring Security filter chain permits the request once authentication succeeds. The defect is documented in the vendor fix at the Gitee commit 9197065 and the public issue tracker entry at Gitee issue ICH8FV.
Attack Vector
Exploitation requires only a low-privilege authenticated account and HTTP access to the application. The attacker submits a multipart upload to the user import endpoint containing crafted user records. Because the service layer trusts the controller to enforce authorization, the records are persisted with whatever role identifiers the attacker supplied. This can be leveraged to plant accounts with elevated roles, to overwrite contact data for existing accounts, or to seed accounts used in follow-on phishing or social engineering. Refer to the published GitHub Gist proof-of-concept notes for endpoint specifics.
Detection Methods for CVE-2025-66736
Indicators of Compromise
- Unexpected POST requests to the /api/v1/users/import endpoint (or equivalent import route) originating from non-administrative user sessions.
- New rows in the sys_user table created outside of standard administrative workflows, especially with elevated role_id values.
- Application audit log gaps where user creation events are not associated with an administrative actor.
Detection Strategies
- Review application access logs for invocations of SysUserController.importUsers correlated with the role of the authenticated principal.
- Compare user table growth against expected provisioning baselines and alert on bulk inserts.
- Hunt for sessions that authenticate as standard users and subsequently issue requests to administrative controller paths.
Monitoring Recommendations
- Forward application and web server logs into a centralized analytics platform such as Singularity Data Lake to support cross-source correlation of authentication and administrative API activity.
- Configure alerts on file uploads to administrative endpoints from non-admin roles.
- Track database-level audit events for inserts into the user and role mapping tables.
How to Mitigate CVE-2025-66736
Immediate Actions Required
- Upgrade youlai-boot past the fix commit 9197065 or apply the patch directly to SysUserController.java.
- Audit the user table for accounts created since deployment and disable any records not tied to a legitimate provisioning event.
- Rotate credentials for any accounts that may have had their contact details overwritten through the import endpoint.
Patch Information
The vendor published the fix in Gitee commit 9197065102f92264ded814a9d3e9f2a4ff0da121, which adds the missing permission annotation to the importUsers handler. The corresponding tracking ticket is available at Gitee issue ICH8FV. Operators running forks should rebase or cherry-pick this commit.
Workarounds
- Block the user import route at a reverse proxy or API gateway and restrict it to source addresses used by administrators.
- Add a @PreAuthorize("hasAuthority('sys:user:import')") annotation, or equivalent role check, to the importUsers method until a full upgrade is possible.
- Temporarily disable the import feature in the front-end and remove the route mapping if administrative bulk import is not required.
# Configuration example: restrict the import endpoint at an Nginx reverse proxy
location = /api/v1/users/import {
allow 10.0.0.0/24; # admin workstation subnet
deny all;
proxy_pass http://youlai_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

