Executive Summary

CVE-2025-15086 is an improper access control vulnerability in the youlai-mall software affecting the API endpoint that retrieves member information by mobile number. The vulnerable function does not verify that the requested mobile number belongs to the authenticated user and lacks role or permission checks. This allows any authenticated user to query arbitrary mobile numbers and obtain sensitive authentication-related data such as member IDs, mobile numbers, status, and usernames. The flaw enables attackers to perform horizontal privilege escalation, exposing private information and facilitating further attacks on victim accounts. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive authentication data and internal member IDs, enabling attackers to map mobile numbers to user accounts. Attackers with valid credentials can exploit this to perform horizontal privilege escalation, accessing or manipulating other users' data on related endpoints (e.g., balances, orders, addresses). It also allows attackers to enumerate valid mobile numbers, aiding phishing, social engineering, and harassment campaigns. The increased attack surface can be chained with other vulnerabilities to compromise victim accounts, undermining system trust and security. [1, 2, 3]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability violates privacy regulations such as GDPR, CCPA, and PIPL by exposing personally identifiable information (PII), specifically mobile numbers linked to internal member IDs, without proper authorization. This unauthorized disclosure of sensitive data breaches data protection requirements, potentially leading to non-compliance with these standards and regulations. It increases the risk of targeted harassment, social engineering, and privacy violations. [2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and testing the API endpoint GET /mall-ums/app-api/v1/members/mobile/{mobile} for improper access control. You can attempt to send authenticated GET requests with different mobile numbers to see if the system returns member information without proper authorization. For example, using curl with a valid app login token: curl -H "Authorization: Bearer <valid_token>" https://<target>/mall-ums/app-api/v1/members/mobile/<victim_mobile>. If the response returns member data for mobile numbers other than the authenticated user, the vulnerability is present. Additionally, check logs for unusual enumeration patterns or repeated access to this endpoint with varying mobile numbers. No built-in rate limiting or auditing exists, so detection relies on active testing and monitoring for suspicious API usage. [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable API endpoint by implementing proper access control checks to ensure that users can only query their own mobile number. This involves adding ownership validation (e.g., verifying the requested mobile number matches the authenticated user's mobile) and enforcing role or permission checks (e.g., using @PreAuthorize annotations). If patching is not possible, consider disabling or restricting access to the endpoint entirely. Additionally, implement rate limiting and auditing to detect and prevent enumeration attacks. Since no official vendor patch is available, consider replacing the affected component with an alternative product or applying custom access control fixes as soon as possible. [1, 2, 3]

Useful 0 Not Useful 0