CVE-2025-66735
Incorrect Access Control in youlai-boot SysRoleController Allows Privilege Escalation
Publication date: 2025-12-22
Last updated on: 2025-12-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| youlai | youlai-boot | 2.21.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66735 is an Incorrect Access Control vulnerability in youlai-boot V2.21.1. The getRoleForm function in SysRoleController.java and its related service method do not perform permission or authorization checks when retrieving role information by roleId. This allows non-root users to input arbitrary role IDs, including the root role's ID, and access sensitive role information without proper privileges. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive role information, including root user roles. An attacker or non-root user can exploit this flaw to escalate privileges or gain insights into privileged roles, potentially compromising the security of the system by bypassing intended access controls. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `getRoleForm` REST endpoint with different `roleId` values, including those of root roles, to see if unauthorized access to root role information is possible. For example, you can use curl commands to attempt to retrieve role information without proper authorization, such as: curl -X GET "http://<your-server>/sysRole/{roleId}/form" Replace {roleId} with the root role's ID or other role IDs to check if access control is enforced. If the response returns sensitive role data without authentication or permission checks, the vulnerability exists. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper permission and identity checks in the `getRoleForm` function and its related service methods. Specifically, ensure that only authorized users, such as root users, can access root role data. This can be done by adding checks like `ne(!SecurityUtils.isRoot(), SysRole::getCode, SystemConstants.ROOT_ROLE_CODE)` to deny access if the user is not root and the role code matches the root role. Additionally, enforce data scope restrictions using methods like `roleService.getMaxDataRangeDataScope(roles)` to limit access boundaries. Applying the official patches or updates from the youlai-boot project that fix this issue is also recommended. [2]