CVE-2025-66735
Unknown Unknown - Not Provided
Incorrect Access Control in youlai-boot SysRoleController Allows Privilege Escalation

Publication date: 2025-12-22

Last updated on: 2025-12-22

Assigner: MITRE

Description
youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The getRoleForm function in SysRoleController.java does not perform permission checks, which may allow non-root users to directly access root roles.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-22
Last Modified
2025-12-22
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66735
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
youlai youlai-boot 2.21.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-66735 is an Incorrect Access Control vulnerability in youlai-boot V2.21.1. The getRoleForm function in SysRoleController.java and its related service method do not perform permission or authorization checks when retrieving role information by roleId. This allows non-root users to input arbitrary role IDs, including the root role's ID, and access sensitive role information without proper privileges. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive role information, including root user roles. An attacker or non-root user can exploit this flaw to escalate privileges or gain insights into privileged roles, potentially compromising the security of the system by bypassing intended access controls. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the `getRoleForm` REST endpoint with different `roleId` values, including those of root roles, to see if unauthorized access to root role information is possible. For example, you can use curl commands to attempt to retrieve role information without proper authorization, such as: curl -X GET "http://<your-server>/sysRole/{roleId}/form" Replace {roleId} with the root role's ID or other role IDs to check if access control is enforced. If the response returns sensitive role data without authentication or permission checks, the vulnerability exists. [2]

Mitigation Strategies

Immediate mitigation steps include implementing proper permission and identity checks in the `getRoleForm` function and its related service methods. Specifically, ensure that only authorized users, such as root users, can access root role data. This can be done by adding checks like `ne(!SecurityUtils.isRoot(), SysRole::getCode, SystemConstants.ROOT_ROLE_CODE)` to deny access if the user is not root and the role code matches the root role. Additionally, enforce data scope restrictions using methods like `roleService.getMaxDataRangeDataScope(roles)` to limit access boundaries. Applying the official patches or updates from the youlai-boot project that fix this issue is also recommended. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66735. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart