CVE-2025-66916
Arbitrary File Read/Write via QLExpress in RuoYi-Vue-Plus Snailjob
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dromara | ruoyi-vue-plus | to 5.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
An attacker can leverage this vulnerability to read and write arbitrary files on the affected system. This can lead to unauthorized data access, data manipulation, or system compromise, potentially resulting in loss of confidentiality, integrity, and availability of data and services. [3]
Can you explain this vulnerability to me?
This vulnerability exists in the snailjob component of RuoYi-Vue-Plus versions 5.5.1 and earlier. The interface /snail-job/workflow/check-node-expression executes QLExpress expressions but does not filter user input properly. This allows attackers to exploit the File class within QLExpress to perform arbitrary file reading and writing on the system. [3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade RuoYi-Vue-Plus to a version later than 5.5.1 where the issue is fixed. Additionally, restrict access to the /snail-job/workflow/check-node-expression interface to trusted users only, and implement input validation or filtering to prevent execution of arbitrary QLExpress expressions. Monitoring and blocking suspicious file read/write operations related to this interface can also help reduce risk. [3]