CVE-2025-14085
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of the file /app-api/v1/orders/. The manipulation of the argument orderId leads to improper control of dynamically-identified variables. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14085
EUVD
EUVD-2025-201410
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
youlai youlai-mall 1.0.0
youlai youlai-mall 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
CWE-914 The product does not properly restrict reading from or writing to dynamically-identified variables.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in youlaitech youlai-mall versions 1.0.0 and 2.0.0, specifically in the /app-api/v1/orders/ file. It involves manipulation of the 'orderId' argument, which leads to improper control of dynamically-identified variables. This flaw can be exploited remotely.

Impact Analysis

Exploitation of this vulnerability can allow an attacker to remotely manipulate variables dynamically, potentially leading to unauthorized actions or data manipulation within the affected application. This could compromise the integrity and confidentiality of order-related data.

Compliance Impact

This vulnerability allows unauthorized deletion of other users' orders due to missing ownership validation and insufficient access control. This undermines data integrity, user trust, and audit processes, which can lead to business and compliance risks. The lack of audit trails and rate limiting increases regulatory and operational risks, potentially violating requirements for data protection, accountability, and auditability found in standards like GDPR and HIPAA. [3]

Detection Guidance

This vulnerability can be detected by monitoring and testing the DELETE requests to the endpoint /app-api/v1/orders/{orderId} for improper access control. Specifically, an authenticated user can attempt to delete orders belonging to other users by manipulating the orderId parameter. Detection involves verifying if the system allows deletion of orders without ownership validation. Suggested commands include sending HTTP DELETE requests with different orderId values using tools like curl or HTTP clients, for example: curl -X DELETE -H "Authorization: Bearer <valid_token>" https://<target>/app-api/v1/orders/<orderId>. Monitoring logs for such unauthorized deletion attempts and checking for absence of ownership checks in the API behavior can also help detect exploitation attempts. [3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint by implementing proper ownership validation to ensure that users can only delete their own orders. If patching is not immediately possible, consider disabling or restricting the DELETE /app-api/v1/orders/{orderId} endpoint to trusted users only. Monitoring and alerting on suspicious deletion activities and applying rate limiting to prevent enumeration attacks are also recommended. Since no vendor response or official mitigations exist, replacing the affected product with a secure alternative should be considered as a longer-term solution. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14085. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart