Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70058

CVE-2025-70058: Ymfe Yapi Information Disclosure Flaw

CVE-2025-70058 is an information disclosure vulnerability in Ymfe Yapi v1.12.0 caused by improper certificate validation. This security flaw exposes users to man-in-the-middle attacks. Learn about affected versions and mitigations.

Updated:

CVE-2025-70058 Overview

CVE-2025-70058 is an improper certificate validation flaw [CWE-295] in YMFE YApi version 1.12.0. The application disables Transport Layer Security (TLS) certificate validation by setting rejectUnauthorized: false in the HTTPS agent configuration used for Axios requests. This configuration instructs the underlying Node.js TLS stack to accept any server certificate, including self-signed, expired, or attacker-controlled certificates. An attacker positioned on the network path between YApi and remote HTTPS endpoints can intercept, read, and modify traffic without triggering certificate warnings.

Critical Impact

Network-positioned attackers can perform man-in-the-middle attacks against YApi v1.12.0, decrypting and tampering with HTTPS traffic that should be protected by TLS.

Affected Products

  • YMFE YApi 1.12.0
  • Deployments using ymfe:yapi component with default HTTPS agent settings
  • Axios-based outbound integrations within YApi

Discovery Timeline

  • 2026-02-23 - CVE-2025-70058 published to the National Vulnerability Database
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2025-70058

Vulnerability Analysis

YApi is an open-source API management platform maintained under the YMFE GitHub organization. In version 1.12.0, the application constructs an https.Agent instance with the option rejectUnauthorized: false and passes this agent to Axios HTTP client requests. The flag disables the standard chain-of-trust verification performed by Node.js, so the client no longer validates the server certificate against trusted certificate authorities, hostname matching, or expiration dates.

Because certificate validation is the primary defense against impersonation on TLS channels, removing it converts encrypted HTTPS traffic into traffic that is only opportunistically encrypted. An attacker capable of intercepting the network path can present any certificate, terminate the TLS session, and proxy plaintext to the legitimate destination.

Root Cause

The root cause is a hardcoded insecure default in the HTTPS agent configuration. Setting rejectUnauthorized: false is typically used during development to bypass self-signed certificate errors but must not ship in production code. YApi 1.12.0 retains this setting in shipped code paths that issue outbound Axios requests.

Attack Vector

Exploitation requires a network-adjacent or in-path attacker, such as an adversary controlling a router, DNS resolver, proxy, or compromised network segment between YApi and a target HTTPS service. The attacker presents a forged certificate when YApi initiates an HTTPS connection. YApi accepts the certificate without validation and establishes a session with the attacker, who relays traffic to the real endpoint. Sensitive data carried over these connections, including authentication tokens and API payloads, becomes exposed to interception and modification.

No public proof-of-concept exploit is currently catalogued by CISA KEV or Exploit-DB. Technical references are available in the GitHub Gist PoC Repository and the YAPI Project Repository.

Detection Methods for CVE-2025-70058

Indicators of Compromise

  • Outbound HTTPS connections from YApi hosts terminating at unexpected IP addresses or proxies
  • TLS sessions negotiated with self-signed or untrusted certificates in network telemetry
  • Anomalous certificate fingerprints associated with traffic from YApi servers
  • Source code or container images containing rejectUnauthorized: false in HTTPS agent configurations

Detection Strategies

  • Perform static analysis on YApi deployments to locate rejectUnauthorized: false in HTTPS agent instantiations and Axios configurations
  • Inspect TLS metadata at network egress points to identify sessions where YApi accepted untrusted certificates
  • Compare deployed YApi versions against 1.12.0 using software composition analysis tools

Monitoring Recommendations

  • Capture and review egress TLS handshakes from YApi hosts, alerting on unknown certificate issuers
  • Monitor outbound destination IPs for deviations from the documented integration endpoints
  • Enable audit logging on YApi outbound API calls and correlate with network flow records

How to Mitigate CVE-2025-70058

Immediate Actions Required

  • Inventory all YApi instances and confirm whether they run version 1.12.0
  • Restrict YApi outbound network access to known integration endpoints through egress firewalls
  • Force YApi traffic through an inspecting proxy that enforces certificate validation independently

Patch Information

At the time of publication, the YMFE YApi project repository does not list a coordinated patch for CVE-2025-70058. Operators should track the upstream repository for fixes and apply a custom patch that removes rejectUnauthorized: false from HTTPS agent instantiations, or replaces the agent with one that uses the system trust store.

Workarounds

  • Patch the local YApi codebase to remove rejectUnauthorized: false and rebuild the application
  • Deploy YApi behind a TLS-terminating reverse proxy that performs certificate validation for outbound calls
  • Pin trusted certificates using a custom ca option in the HTTPS agent instead of disabling validation
bash
# Locate insecure HTTPS agent configurations in a YApi deployment
grep -rn "rejectUnauthorized\s*:\s*false" /path/to/yapi

# Recommended replacement pattern in Node.js
# const agent = new https.Agent({ rejectUnauthorized: true, ca: fs.readFileSync('/etc/ssl/trusted-ca.pem') });

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.