CVE-2025-70985
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-01-30

Assigner: MITRE

Description
Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70985
EUVD
EUVD-2026-4236
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ruoyi ruoyi 4.8.1
ruoyi ruoyi 4.8.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by reviewing logs or monitoring API calls to the `update` function in `sysProfileController.java` for unauthorized attempts to modify user data outside the authorized scope. Since the vulnerability involves missing authorization checks, you can look for suspicious update requests where a user modifies another user's information. Specific commands are not provided in the resources, but you could use network monitoring tools or log analysis to identify such unauthorized update attempts. [1, 2]

Mitigation Strategies

The immediate mitigation step is to implement a data scope check (`checkUserDataScope`) in the `update` function before allowing any user information updates. This check ensures that the user invoking the update has the appropriate authorization to modify the specified user's data. Until a patch is applied, restrict access to the update functionality to trusted users only and monitor for suspicious activity. [2]

Executive Summary

CVE-2025-70985 is an authorization vulnerability in the RuoYi v4.8.2 backend management framework. It occurs in the update function of sysProfileController.java, which calls updateUserInfo in SysUserServiceImpl.java to modify user information. The vulnerability arises because the function fails to perform a critical data scope check (checkUserDataScope) to verify if the user has permission to modify the target user's data. As a result, unauthorized users can arbitrarily modify data outside their authorized scope, bypassing proper access control. [1, 2]

Impact Analysis

This vulnerability can allow unauthorized attackers to modify user information that they should not have access to. For example, an attacker could change another user's username, email, phone number, or other personal details without permission. This could lead to data integrity issues, unauthorized data manipulation, and potential misuse of user accounts or sensitive information. [1, 2]

Compliance Impact

The vulnerability allows unauthorized users to modify data outside their authorized scope due to improper access control in the update function. This could lead to unauthorized data modifications, potentially violating data protection principles required by standards like GDPR and HIPAA, which mandate strict access controls and data integrity. Therefore, this flaw may negatively impact compliance with such regulations by enabling unauthorized data access and modification. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70985. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart