CVE-2025-14016
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-04

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-04
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14016
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
macrozheng mall-swarm to 1.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring and intercepting API requests to the endpoint POST /member/readHistory/delete. Look for requests where the 'ids' parameter is manipulated to include entries not belonging to the authenticated user. For detection, you can use tools like curl or intercepting proxies (e.g., Burp Suite) to capture and analyze requests. Example command to test unauthorized deletion attempt: curl -X POST 'https://yourmallswarminstance/member/readHistory/delete' -H 'Authorization: Bearer <token_of_user_A>' -d 'ids=<ids_of_user_B>' and observe if the response indicates successful deletion (e.g., code: 200, message: "ζ“δ½œζˆεŠŸ"). Monitoring logs for such unauthorized access patterns or unexpected deletions can also help detect exploitation attempts. [2]

Executive Summary

This vulnerability exists in macrozheng mall-swarm up to version 1.0.3, specifically in the delete function of the /member/readHistory/delete file. It involves improper authorization due to manipulation of the argument 'ids', allowing an attacker to remotely execute the attack without proper permissions.

Impact Analysis

The vulnerability can lead to unauthorized deletion of user read history data by an attacker remotely exploiting the improper authorization. This could result in loss or alteration of user data and potential disruption of service or user trust.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable API endpoint and monitoring for suspicious activity involving the 'ids' parameter in delete requests. Since no official patch or vendor response is available, consider replacing the affected product or disabling the delete functionality temporarily. Implement additional authorization checks on the server side to verify ownership of the 'ids' before processing deletion requests. Also, review and tighten access control policies and monitor logs for unauthorized deletion attempts. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14016. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart