CVE-2025-10989 in RuoYi
Summary
by MITRE • 09/26/2025
A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. This vulnerability affects unknown code of the file /system/role/authUser/selectAll. Performing manipulation of the argument userIds results in improper authorization. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/03/2025
The vulnerability identified as CVE-2025-10989 resides within the yangzongzhuan RuoYi framework version 4.8.1 and earlier, representing a critical authorization flaw that undermines the system's access control mechanisms. This security weakness specifically impacts the /system/role/authUser/selectAll endpoint where the application fails to properly validate or sanitize user input parameters, particularly the userIds argument. The flaw enables attackers to manipulate authorization boundaries through improper input handling, potentially allowing unauthorized users to access or modify data they should not have permission to interact with.
The technical implementation of this vulnerability stems from inadequate input validation and authorization checks within the role-based access control system. When the userIds parameter is processed in the selectAll endpoint, the application does not properly verify whether the requesting user has legitimate authorization to access the specified user IDs. This represents a classic case of insufficient authorization control as classified under CWE-285, where the system fails to properly enforce access control policies. The vulnerability operates at the application logic level rather than at the network or infrastructure layer, making it particularly dangerous as it can be exploited through legitimate application interfaces.
Remote exploitation of this vulnerability presents significant operational risks for organizations utilizing affected RuoYi versions. Attackers can leverage this flaw to perform unauthorized data access, potentially gaining access to sensitive user information, performing privilege escalation, or executing unauthorized operations within the system. The public availability of exploit code further amplifies the threat landscape, as it reduces the barrier to exploitation and enables widespread compromise of affected systems. This vulnerability directly aligns with attack patterns documented in the MITRE ATT&CK framework under the privilege escalation and defense evasion tactics, where adversaries can manipulate authorization controls to gain unauthorized access to system resources.
Organizations should immediately implement mitigations including thorough input validation, comprehensive authorization checks, and code review processes to address this vulnerability. The recommended approach involves strengthening the userIds parameter validation to ensure that only authorized users can access specific user data, implementing proper access control lists, and conducting regular security assessments of the application's authorization mechanisms. Additionally, organizations should consider implementing network segmentation, monitoring for anomalous access patterns, and maintaining up-to-date security patches. The lack of vendor response to early disclosure highlights the importance of proactive security measures and alternative remediation strategies for organizations relying on potentially vulnerable open source components.