CVE-2025-70058 in yapi
Summary
by MITRE • 02/23/2026
An issue pertaining to CWE-295: Improper Certificate Validation was discovered in YMFE yapi v1.12.0. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in the HTTPS agent configuration for Axios requests
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/27/2026
The vulnerability identified as CVE-2025-70058 represents a critical security flaw in the YMFE yapi application version 1.12.0, specifically categorized under CWE-295: Improper Certificate Validation. This weakness stems from the application's deliberate disabling of TLS/SSL certificate validation through the configuration setting 'rejectUnauthorized': false within the HTTPS agent setup for Axios HTTP requests. The implementation effectively removes the cryptographic verification process that ensures secure communication channels between the application and external services, creating a fundamental breach in the security infrastructure.
The technical exploitation of this vulnerability occurs when the yapi application establishes HTTPS connections to external APIs or services without validating the server certificates presented during the TLS handshake process. When 'rejectUnauthorized' is set to false, the application accepts any certificate regardless of its authenticity, validity, or whether it was issued by a trusted certificate authority. This configuration allows attackers to perform man-in-the-middle attacks by presenting fake certificates that the application will accept without question, thereby compromising the confidentiality and integrity of data transmitted through these connections.
From an operational perspective, this vulnerability creates significant risk exposure for organizations utilizing yapi v1.12.0, particularly in environments where sensitive data flows through external APIs or services. The impact extends beyond simple data interception as it enables attackers to potentially modify communications, inject malicious content, or redirect traffic to compromised endpoints. The vulnerability is particularly concerning in enterprise environments where yapi might be used to manage API documentation, test endpoints, or serve as an integration platform, as these systems often handle credentials, access tokens, and sensitive business data.
Security professionals should note that this vulnerability directly maps to ATT&CK technique T1046: Network Service Scanning and T1566: Phishing, as it creates opportunities for attackers to establish unauthorized communication channels and potentially gain access to downstream systems. The improper certificate validation creates a trust boundary breach that can be exploited to bypass security controls designed to protect against unauthorized access. Organizations should immediately assess their deployment of yapi v1.12.0 and evaluate whether any external API integrations are vulnerable to this type of attack vector.
Mitigation strategies for CVE-2025-70058 require immediate implementation of proper certificate validation mechanisms within the application configuration. The primary remediation involves removing or properly configuring the 'rejectUnauthorized': false setting in the HTTPS agent configuration to ensure that certificate validation occurs as intended. Additionally, organizations should implement certificate pinning where appropriate and establish monitoring for unauthorized certificate changes or suspicious network activity. The solution must be thoroughly tested to ensure that legitimate external API connections continue to function correctly while maintaining the security benefits of proper certificate validation. Security audits should also verify that similar vulnerabilities do not exist in other third-party libraries or components that might be using similar insecure configurations.