Skip to main content
CVE Vulnerability Database

CVE-2025-7901: Ruoyi Ruoyi Swagger UI XSS Vulnerability

CVE-2025-7901 is a cross-site scripting flaw in Ruoyi Ruoyi's Swagger UI component affecting versions up to 4.8.1. Attackers can exploit the configUrl parameter remotely. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-7901 Overview

CVE-2025-7901 is a reflected cross-site scripting (XSS) vulnerability affecting yangzongzhuan RuoYi versions up to 4.8.1. The flaw resides in the Swagger UI component, specifically in the handling of the configUrl parameter within /swagger-ui/index.html. Attackers can craft a malicious URL that injects JavaScript into the victim's browser session when the link is opened. The vulnerability is classified under [CWE-79] and can be exploited remotely without authentication, though user interaction is required. Public disclosure occurred through a GitHub issue on the RuoYi repository.

Critical Impact

Remote attackers can execute arbitrary JavaScript in victim browsers via the Swagger UI configUrl parameter, enabling session hijacking, credential theft, and administrative interface abuse.

Affected Products

  • yangzongzhuan RuoYi versions up to and including 4.8.1
  • RuoYi Swagger UI component (/swagger-ui/index.html)
  • Deployments exposing the Swagger UI endpoint to untrusted networks

Discovery Timeline

  • 2025-07-20 - CVE-2025-7901 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7901

Vulnerability Analysis

RuoYi is a Java-based rapid development platform widely used to build management and administrative applications. The vulnerable component is Swagger UI, an interactive API documentation interface bundled with the application. Swagger UI accepts a configUrl query parameter that instructs it to load an external configuration file describing the API.

When the application processes this parameter, it fails to properly validate or sanitize the input before reflecting it into rendered content. Attackers can supply a crafted configUrl value that causes JavaScript execution in the context of the RuoYi application origin. The attack requires the victim to click a malicious link, so exploitation depends on user interaction.

Successful exploitation grants the attacker script execution within an authenticated administrator's session. This enables theft of session cookies, forgery of administrative requests, and pivoting into backend management functions exposed by RuoYi.

Root Cause

The root cause is improper neutralization of input during web page generation [CWE-79]. The Swagger UI bundled with RuoYi consumes the configUrl query parameter and incorporates it into the DOM without applying context-appropriate output encoding or URL scheme validation. Known Swagger UI advisories cover this class of issue, and RuoYi ships a version that has not been remediated in releases up to 4.8.1.

Attack Vector

Exploitation proceeds over the network. The attacker crafts a URL of the form https://target/swagger-ui/index.html?configUrl=<attacker-controlled-payload> and delivers it via phishing, chat, or an embedded link. When an authenticated user opens the link, the browser loads Swagger UI, which then fetches and processes the attacker-controlled configuration, resulting in script execution in the RuoYi origin. No credentials are required from the attacker, but the victim must be tricked into visiting the crafted URL.

No verified public proof-of-concept code is available. Refer to the GitHub Issue #293 for technical discussion.

Detection Methods for CVE-2025-7901

Indicators of Compromise

  • HTTP requests to /swagger-ui/index.html containing a configUrl query parameter pointing to external or attacker-controlled domains
  • Access log entries with URL-encoded <script>, javascript:, or data: schemes in the configUrl value
  • Referrer headers on RuoYi admin actions originating from Swagger UI URLs with unusual query strings
  • Unexpected outbound requests from user browsers to unknown hosts immediately after visiting Swagger UI

Detection Strategies

  • Deploy web application firewall (WAF) rules that inspect the configUrl parameter for URL schemes other than the expected trusted origin
  • Alert on any request to /swagger-ui/index.html in production environments where Swagger UI should not be reachable
  • Correlate authenticated administrative actions with recent Swagger UI page loads that contained non-default query parameters

Monitoring Recommendations

  • Enable verbose HTTP access logging on RuoYi front-end proxies and retain logs for at least 90 days
  • Monitor for spikes in requests to /swagger-ui/* from external IPs or unusual user agents
  • Track browser Content Security Policy (CSP) violation reports if CSP is enabled on the application

How to Mitigate CVE-2025-7901

Immediate Actions Required

  • Restrict access to /swagger-ui/index.html and related Swagger endpoints to internal networks or authenticated administrators only
  • Disable Swagger UI entirely in production deployments where interactive API documentation is not required
  • Educate administrators to avoid clicking Swagger UI links received from untrusted sources

Patch Information

At the time of publication, no vendor patch is referenced in NVD for RuoYi versions up to 4.8.1. Monitor the RuoYi GitHub repository for an official fix. When a fix is available, upgrade to the remediated release and verify that the Swagger UI bundled with RuoYi validates the configUrl parameter against an allowlist of trusted origins.

Workarounds

  • Block requests containing the configUrl query parameter at a reverse proxy or WAF layer
  • Configure the application server to return HTTP 404 for /swagger-ui/* paths in production profiles
  • Apply a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
  • Require VPN or IP allowlisting for any environment where Swagger UI must remain enabled
bash
# Example Nginx configuration to block the vulnerable parameter
location /swagger-ui/ {
    if ($arg_configUrl) {
        return 403;
    }
    # Restrict to internal network only
    allow 10.0.0.0/8;
    deny all;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.