CVE-2025-14052
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected by this vulnerability is the function getMemberById of the file /mall-ums/app-api/v1/members/. The manipulation of the argument memberId leads to improper access controls. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14052
EUVD
EUVD-2025-201313
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
youlai youlai-mall 1.0.0
youlai youlai-mall 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability leads to unauthorized disclosure of personal identifiers such as users' WeChat openid, which constitutes a privacy violation and increases the risk of regulatory noncompliance. This improper access control and exposure of sensitive personal data can result in breaches of data protection standards like GDPR and HIPAA, which mandate strict controls over personal data access and confidentiality. [3]

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable API endpoint with manipulated memberId parameters using a valid authorization token. For example, you can use a curl command to send a GET request to the endpoint with different memberId values and observe if the server returns data for users other than the authenticated user. A sample command is: curl -H "Authorization: Bearer <token>" https://<host>/mall-ums/app-api/v1/members/12345/openid If the response returns another user's WeChat openid, the system is vulnerable. [3]

Mitigation Strategies

There are no known countermeasures or patches currently available for this vulnerability. Immediate steps include considering replacing the affected product or disabling the vulnerable API endpoint if possible. Additionally, restrict access to the API to trusted users only and monitor for suspicious activity. Applying strict access control checks to ensure that the memberId parameter matches the authenticated user's ID is recommended once a fix is available. [1, 3]

Executive Summary

This vulnerability exists in the function getMemberById of the youlai-mall application versions 1.0.0 and 2.0.0. It involves improper access controls caused by manipulation of the memberId argument, allowing an attacker to potentially access data or functionality they should not be able to. The attack can be performed remotely, and the exploit has been publicly disclosed.

Impact Analysis

The vulnerability can lead to unauthorized access to member information or functionality within the youlai-mall application. This could result in data exposure, data modification, or other unauthorized actions, potentially compromising user privacy and system integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14052. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart