CVE-2025-10384
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-13

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/userIds can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-13
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10384
EUVD
EUVD-2025-29102
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ruoyi ruoyi to 4.8.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10384 is a broken function level authorization vulnerability in the yangzongzhuan RuoYi framework (up to version 4.8.1). It affects the batch role cancellation endpoint `/system/role/authUser/cancelAll`. An authenticated attacker who captures a valid session cookie can send a crafted request manipulating the `roleId` and `userIds` parameters to revoke roles from arbitrary users without proper permission, bypassing access controls. [1, 2]

Impact Analysis

This vulnerability allows an attacker to revoke roles from arbitrary users without authorization, potentially removing critical permissions such as administrator roles. This can lead to unauthorized privilege changes, impacting the integrity and availability of the system. Since the exploit can be performed remotely and easily, it poses a significant security risk. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /system/role/authUser/cancelAll that include manipulation of the roleId and userIds parameters. Detection involves capturing and analyzing HTTP traffic for unauthorized or unusual role cancellation attempts, especially from authenticated sessions. Commands to detect such activity could include using network traffic analysis tools like tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint, for example: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/system/role/authUser/cancelAll'. Additionally, web server logs can be searched for POST requests to this path with roleId and userIds parameters to identify potential exploitation attempts. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /system/role/authUser/cancelAll endpoint to trusted users only, implementing strict access controls and monitoring for unauthorized requests. Since no vendor patch or fix is currently available and the vendor did not respond, it is recommended to consider replacing the affected component or product. Additionally, monitoring and alerting on suspicious activity targeting this endpoint should be established to detect exploitation attempts early. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10384. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart