CVE-2025-66736
Authorization Bypass via Incorrect Access Control in youlai-boot importUsers
Publication date: 2025-12-22
Last updated on: 2025-12-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| youlai | youlai-boot | 2.21.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66736 is an authorization bypass vulnerability in the youlai-boot software, specifically in the importUsers function of SysUserController.java. This function allows importing user data into the database but does not perform any permission or authorization checks on the user invoking it. As a result, any user, whether authenticated or not, can import arbitrary user data, potentially leading to unauthorized creation or modification of user accounts. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to inject arbitrary user data into your database. This can lead to database pollution, creation of unauthorized or illegal user accounts, and compromise of data integrity and security. Attackers could exploit this to escalate privileges, disrupt normal operations, or manipulate user information. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring calls to the `importUsers` API endpoint, specifically POST requests to `/import` in the SysUserController. You can check your web server or application logs for unexpected or unauthorized POST requests to this endpoint. For example, using command-line tools: 1. To search logs for access to the import endpoint: `grep 'POST /import' /path/to/access.log` 2. To monitor live traffic for such requests (if using tcpdump and HTTP on port 80): `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /import'` 3. If using curl or similar tools, test if the endpoint is accessible without proper authorization by sending a POST request with a sample user import file and observing the response. These methods help detect unauthorized usage of the vulnerable API. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves adding proper authorization checks to the `importUsers` API endpoint to restrict access only to authorized users. Specifically, implement permission checks such as Spring Security's `@PreAuthorize` annotation with an expression like `@PreAuthorize("@ss.hasPerm('sys:role:edit')")` on the `importUsers` method. This ensures only users with the appropriate permissions can invoke the import function. Additionally, review and restrict access to the API endpoint at the network or application firewall level to prevent unauthorized calls until a code fix is deployed. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to import arbitrary user data into the database without permission checks, which can lead to unauthorized data injection and compromise data integrity and security. This lack of access control could result in violations of data protection regulations such as GDPR or HIPAA, which require strict controls over personal data access and processing. Therefore, the vulnerability negatively impacts compliance with these common standards and regulations by enabling unauthorized data manipulation. [1, 2]