Executive Summary

CVE-2025-14909 is a security vulnerability in JeecgBoot versions up to 3.9.0, specifically in the SysUserOnlineController class. It arises from missing permission checks on two REST API endpoints: one that lists all online users and their session tokens, and another that allows forcibly logging out users. Because these endpoints lack proper access control, any authenticated user can retrieve sensitive session information and forcibly log out other users, including administrators. This enables unauthorized session manipulation, information disclosure, and denial of service attacks. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to obtain sensitive session tokens and user information, and forcibly log out any user, including administrators. This can lead to denial of service by repeatedly disconnecting users, disrupting business operations, causing data inconsistency, and potentially escalating privileges. The system's availability and normal functioning can be severely affected. [2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring access to the two vulnerable endpoints: `GET /sys/online/list` and `POST /sys/online/forceLogout`. Detection involves checking if unauthorized or non-administrative users are accessing these endpoints or if there are unusual forced logout activities. You can use network monitoring tools or web server logs to identify calls to these endpoints. For example, using curl commands to test access permissions: 1. Test access to online user list: `curl -i -H "Authorization: Bearer <token>" https://<your-jeecgboot-server>/sys/online/list` 2. Test forced logout attempt: `curl -X POST -H "Authorization: Bearer <token>" -d '{"token":"<target-user-token>"}' https://<your-jeecgboot-server>/sys/online/forceLogout` If these commands succeed for non-admin users, the system is vulnerable. Additionally, review logs for repeated forced logout requests or unexpected session terminations indicating exploitation attempts. [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the official patch identified by commit `b686f9fbd1917edffe5922c6362c817a9361cfbd` which adds proper permission checks to the vulnerable endpoints. Specifically: 1. Add `@RequiresPermissions("system:online:list")` annotation to the `/sys/online/list` endpoint to restrict access to authorized administrators only. 2. Add `@RequiresPermissions("system:online:forceLogout")` annotation to the `/sys/online/forceLogout` endpoint to restrict forced logout capabilities to administrators. 3. Alternatively, implement identity verification logic in the forceLogout method to ensure non-administrators can only log out their own sessions. 4. Update the permissions in the database accordingly to enforce these restrictions. Until the patch is applied, monitor and restrict access to these endpoints and consider temporarily disabling the force logout functionality if possible to prevent exploitation. [1, 3, 4]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability exposes sensitive user session information such as session tokens, usernames, and real names to any authenticated user without proper authorization, leading to sensitive data exposure. It also allows unauthorized forced logout of users, including administrators, causing denial of service and potential business disruption. Such unauthorized access and manipulation of user session data can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information and mandate protection against unauthorized access and service disruptions. Therefore, this vulnerability negatively impacts compliance with these common standards and regulations by failing to enforce proper access controls and protect sensitive user data. [2, 3]

Useful 0 Not Useful 0