CVE-2025-66736
Unknown Unknown - Not Provided

Authorization Bypass via Incorrect Access Control in youlai-boot importUsers

Vulnerability report for CVE-2025-66736, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-22

Last updated on: 2025-12-22

Assigner: MITRE

Description

youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The importUsers function in SysUserController.java does not perform a permission check on the current user's identity, which may allow regular users to import user data into the database, resulting in an authorization bypass vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-22
Last Modified
2025-12-22
Generated
2026-07-06
AI Q&A
2025-12-23
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
youlai youlai-boot 2.21.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-66736 is an authorization bypass vulnerability in the youlai-boot software, specifically in the importUsers function of SysUserController.java. This function allows importing user data into the database but does not perform any permission or authorization checks on the user invoking it. As a result, any user, whether authenticated or not, can import arbitrary user data, potentially leading to unauthorized creation or modification of user accounts. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to inject arbitrary user data into your database. This can lead to database pollution, creation of unauthorized or illegal user accounts, and compromise of data integrity and security. Attackers could exploit this to escalate privileges, disrupt normal operations, or manipulate user information. [1, 2]

Detection Guidance

Detection can focus on monitoring calls to the `importUsers` API endpoint, specifically POST requests to `/import` in the SysUserController. You can check your web server or application logs for unexpected or unauthorized POST requests to this endpoint. For example, using command-line tools: 1. To search logs for access to the import endpoint: `grep 'POST /import' /path/to/access.log` 2. To monitor live traffic for such requests (if using tcpdump and HTTP on port 80): `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /import'` 3. If using curl or similar tools, test if the endpoint is accessible without proper authorization by sending a POST request with a sample user import file and observing the response. These methods help detect unauthorized usage of the vulnerable API. [2]

Compliance Impact

The vulnerability allows unauthorized users to import arbitrary user data into the database without permission checks, which can lead to unauthorized data injection and compromise data integrity and security. This lack of access control could result in violations of data protection regulations such as GDPR or HIPAA, which require strict controls over personal data access and processing. Therefore, the vulnerability negatively impacts compliance with these common standards and regulations by enabling unauthorized data manipulation. [1, 2]

Mitigation Strategies

Immediate mitigation involves adding proper authorization checks to the `importUsers` API endpoint to restrict access only to authorized users. Specifically, implement permission checks such as Spring Security's `@PreAuthorize` annotation with an expression like `@PreAuthorize("@ss.hasPerm('sys:role:edit')")` on the `importUsers` method. This ensures only users with the appropriate permissions can invoke the import function. Additionally, review and restrict access to the API endpoint at the network or application firewall level to prevent unauthorized calls until a code fix is deployed. [2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66736. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart