CVE-2025-70060 in yapi
Summary
by MITRE • 03/09/2026
An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability identified as CVE-2025-70060 represents a critical web application security flaw affecting YMFE yapi version 1.12.0. This issue stems from improper input neutralization during web page generation, specifically categorized under CWE-79 which addresses cross-site scripting vulnerabilities. The vulnerability manifests when the application fails to adequately sanitize user-supplied data before incorporating it into dynamically generated web content, creating an avenue for malicious actors to inject harmful scripts into the application's response.
The technical implementation of this vulnerability occurs within the web page generation component of yapi where user input is processed and rendered without sufficient sanitization measures. When an attacker submits malicious input through various application interfaces, the system does not properly escape or filter special characters that could be interpreted as executable code by web browsers. This failure allows for the injection of javascript code or other malicious payloads that execute in the context of other users' browsers who view the affected content. The vulnerability is particularly concerning because yapi is a collaborative API development platform where multiple users interact with shared resources, amplifying the potential impact of successful exploitation.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it can enable attackers to perform a wide range of malicious activities including session hijacking, credential theft, and unauthorized access to sensitive API resources. An attacker could craft malicious input that, when viewed by another user, would execute scripts to steal session cookies, redirect users to phishing sites, or manipulate API calls to gain unauthorized access to backend systems. The vulnerability affects the application's core functionality as it compromises the integrity of user-generated content and potentially exposes the entire API development environment to unauthorized access and manipulation.
Security mitigation strategies for this vulnerability should prioritize immediate input sanitization and output encoding measures within the yapi application. Organizations should implement comprehensive input validation that filters or escapes special characters before processing user data, alongside robust output encoding that ensures all dynamic content is properly escaped for the target context. The implementation of Content Security Policy headers can provide additional protection against script execution, while regular security audits should verify that all user-supplied content undergoes proper sanitization. Updates to the application should be prioritized to address the root cause, with organizations monitoring for patches from the YMFE yapi maintainers and implementing temporary workarounds if immediate updates are not feasible. This vulnerability aligns with ATT&CK technique T1059.007 for script injection and demonstrates the importance of proper input validation as outlined in OWASP Top 10 2021 category A03: Injection.