CVE-2025-14909
Remote Session Management Vulnerability in JeecgBoot SysUserOnlineController
Publication date: 2025-12-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeecg | jeecgboot | * |
| jeecg | jeecgboot | 3.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1018 |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14909 is a security vulnerability in JeecgBoot versions up to 3.9.0, specifically in the SysUserOnlineController class. It arises from missing permission checks on two REST API endpoints: one that lists all online users and their session tokens, and another that allows forcibly logging out users. Because these endpoints lack proper access control, any authenticated user can retrieve sensitive session information and forcibly log out other users, including administrators. This enables unauthorized session manipulation, information disclosure, and denial of service attacks. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to obtain sensitive session tokens and user information, and forcibly log out any user, including administrators. This can lead to denial of service by repeatedly disconnecting users, disrupting business operations, causing data inconsistency, and potentially escalating privileges. The system's availability and normal functioning can be severely affected. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring access to the two vulnerable endpoints: `GET /sys/online/list` and `POST /sys/online/forceLogout`. Detection involves checking if unauthorized or non-administrative users are accessing these endpoints or if there are unusual forced logout activities. You can use network monitoring tools or web server logs to identify calls to these endpoints. For example, using curl commands to test access permissions: 1. Test access to online user list: `curl -i -H "Authorization: Bearer <token>" https://<your-jeecgboot-server>/sys/online/list` 2. Test forced logout attempt: `curl -X POST -H "Authorization: Bearer <token>" -d '{"token":"<target-user-token>"}' https://<your-jeecgboot-server>/sys/online/forceLogout` If these commands succeed for non-admin users, the system is vulnerable. Additionally, review logs for repeated forced logout requests or unexpected session terminations indicating exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patch identified by commit `b686f9fbd1917edffe5922c6362c817a9361cfbd` which adds proper permission checks to the vulnerable endpoints. Specifically: 1. Add `@RequiresPermissions("system:online:list")` annotation to the `/sys/online/list` endpoint to restrict access to authorized administrators only. 2. Add `@RequiresPermissions("system:online:forceLogout")` annotation to the `/sys/online/forceLogout` endpoint to restrict forced logout capabilities to administrators. 3. Alternatively, implement identity verification logic in the forceLogout method to ensure non-administrators can only log out their own sessions. 4. Update the permissions in the database accordingly to enforce these restrictions. Until the patch is applied, monitor and restrict access to these endpoints and consider temporarily disabling the force logout functionality if possible to prevent exploitation. [1, 3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes sensitive user session information such as session tokens, usernames, and real names to any authenticated user without proper authorization, leading to sensitive data exposure. It also allows unauthorized forced logout of users, including administrators, causing denial of service and potential business disruption. Such unauthorized access and manipulation of user session data can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information and mandate protection against unauthorized access and service disruptions. Therefore, this vulnerability negatively impacts compliance with these common standards and regulations by failing to enforce proper access controls and protect sensitive user data. [2, 3]