Skip to main content
CVE Vulnerability Database

CVE-2025-8839: Jishenghua jshERP Auth Bypass Vulnerability

CVE-2025-8839 is an authentication bypass flaw in Jishenghua jshERP up to version 3.5 that allows unauthorized user creation. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2025-8839 Overview

CVE-2025-8839 is an improper authorization vulnerability in jshERP up to version 3.5. The flaw exists in the /jshERP-boot/user/addUser endpoint, which handles user account creation. Attackers can exploit the issue remotely over the network with low-privilege authenticated access. The vulnerability is classified under [CWE-266] Incorrect Privilege Assignment.

The exploit has been publicly disclosed through a GitHub issue and VulDB submission. The affected vendor is jishenghua, and the impacted product is the jsherp enterprise resource planning application. Public availability of exploit details increases the risk of opportunistic abuse against unpatched deployments.

Critical Impact

Authenticated attackers can invoke the addUser endpoint to create or modify user accounts without proper authorization checks, undermining account integrity in jshERP 3.5.

Affected Products

  • jishenghua jshERP version 3.5
  • jshERP releases up to and including 3.5
  • Deployments exposing /jshERP-boot/user/addUser over the network

Discovery Timeline

  • 2025-08-11 - CVE-2025-8839 published to the National Vulnerability Database (NVD)
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-8839

Vulnerability Analysis

The vulnerability resides in the addUser function exposed by the /jshERP-boot/user/ endpoint. The endpoint processes user creation requests without enforcing sufficient authorization controls on the caller. A low-privilege account can therefore reach administrative functionality reserved for higher-privileged users.

The flaw maps to [CWE-266] Incorrect Privilege Assignment. According to the public disclosure, the attack requires network access and authenticated context, but no user interaction. Successful exploitation affects confidentiality, integrity, and availability at a limited scope.

For technical specifics, refer to the GitHub Issue Discussion and the VulDB CTI ID #319373 entries.

Root Cause

The root cause is missing or improperly implemented authorization logic on the addUser controller. The handler does not validate whether the authenticated principal holds the privileges required to create users. As a result, role boundaries within the application are not enforced server-side.

Attack Vector

An attacker authenticates with any valid low-privilege jshERP account. They then send a crafted HTTP request to /jshERP-boot/user/addUser containing parameters for a new account. Because the endpoint skips proper role checks, the request succeeds and the attacker gains the ability to provision accounts.

No verified exploit code is published in the referenced sources. See the VulDB submission #622569 for additional context on the disclosure.

Detection Methods for CVE-2025-8839

Indicators of Compromise

  • Unexpected POST requests to /jshERP-boot/user/addUser originating from non-administrative user sessions.
  • New jshERP accounts created outside of approved provisioning workflows or change-management windows.
  • Authentication events for newly created accounts shortly after suspicious addUser calls.

Detection Strategies

  • Correlate web access logs with jshERP role assignments to flag addUser invocations by users without administrative roles.
  • Alert on spikes in user account creation events, especially from a single source IP or session.
  • Review application audit logs for addUser calls that lack a corresponding administrator approval entry.

Monitoring Recommendations

  • Forward jshERP application and HTTP server logs to a centralized SIEM for long-term retention and correlation.
  • Baseline normal addUser activity and alert on deviations in volume, source, or timing.
  • Monitor outbound activity from accounts created in unusual patterns to identify follow-on abuse.

How to Mitigate CVE-2025-8839

Immediate Actions Required

  • Restrict network exposure of jshERP /jshERP-boot/ endpoints to trusted internal networks or VPN users.
  • Rotate credentials for low-privilege jshERP accounts and review recently created user accounts for legitimacy.
  • Enforce strict role-based access at an upstream reverse proxy or web application firewall until a patch is applied.

Patch Information

At the time of this writing, no vendor advisory or fixed release is listed in the NVD references for CVE-2025-8839. Monitor the jshERP GitHub repository for updates and apply any vendor-supplied fix as soon as it is published.

Workarounds

  • Block direct access to /jshERP-boot/user/addUser from non-administrative network segments via WAF or reverse-proxy rules.
  • Add server-side authorization middleware that validates administrative role membership before forwarding requests to the addUser handler.
  • Audit existing user accounts and disable any that cannot be tied to an approved provisioning request.
bash
# Example NGINX rule to restrict the addUser endpoint to an admin subnet
location = /jshERP-boot/user/addUser {
    allow 10.10.50.0/24;   # admin management subnet
    deny  all;
    proxy_pass http://jsherp_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.