CVE-2024-57436 – CVE-2024-57436 is a session ID exposure vulnera... (How to Fix)

Q: What is the severity of CVE-2024-57436?

CVE-2024-57436 has a CVSS score of 7.2 (HIGH). CVE-2024-57436 is a session ID exposure vulnerability in RuoYi v4.8.0 that allows unauthorized attackers to view admin session IDs through system monitoring. This enables session hijacking where attackers can impersonate admin users by crafting cookies with stolen session IDs. Organizations using RuoYi v4.8.0 are affected.

📋 TL;DR

CVE-2024-57436 is a session ID exposure vulnerability in RuoYi v4.8.0 that allows unauthorized attackers to view admin session IDs through system monitoring. This enables session hijacking where attackers can impersonate admin users by crafting cookies with stolen session IDs. Organizations using RuoYi v4.8.0 are affected.

💻 Affected Systems

Products:

RuoYi

Versions: v4.8.0

Operating Systems: Any OS running RuoYi

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects RuoYi v4.8.0; other versions may be safe. The vulnerability exists in the system monitoring functionality.

📦 What is this software?

Ruoyi by Ruoyi

View all CVEs affecting Ruoyi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete administrative takeover of the RuoYi system, allowing attackers to modify configurations, access sensitive data, deploy backdoors, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized administrative access leading to data theft, configuration changes, and privilege escalation within the RuoYi application.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication, and session management controls in place.

🌐 Internet-Facing: HIGH - Internet-facing RuoYi instances are directly accessible to attackers who can exploit this without authentication.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or attackers who gain internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires accessing the system monitoring endpoint to retrieve session IDs, then crafting cookies. Public proof-of-concept exists in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.8.1 or later

Vendor Advisory: https://ruoyi.vip/

Restart Required: Yes

Instructions:

1. Backup current RuoYi installation. 2. Download latest version from official repository. 3. Replace affected files with patched version. 4. Restart application server. 5. Verify session IDs are no longer exposed in monitoring.

🔧 Temporary Workarounds

Disable System Monitoring Endpoint

all

Temporarily disable or restrict access to the system monitoring functionality that exposes session IDs.

Modify application configuration to disable /monitor endpoints
Add access controls to restrict /monitor/* paths

Implement Session Validation

all

Add additional session validation checks to prevent cookie-based session hijacking.

Implement IP binding for sessions
Add user-agent validation
Enable session timeout and rotation

🧯 If You Can't Patch

Implement network segmentation to isolate RuoYi from critical systems
Deploy WAF with session protection rules to detect and block session hijacking attempts

🔍 How to Verify

Check if Vulnerable:

Access the system monitoring endpoint (typically /monitor/server) as an unauthenticated user and check if session IDs are visible in the response.

Check Version:

Check RuoYi version in application properties or admin interface

Verify Fix Applied:

After patching, attempt to access the same monitoring endpoint and verify session IDs are no longer exposed in responses.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful admin login from new IP
Unusual access patterns to /monitor endpoints
Admin sessions from unexpected IP addresses or user agents

Network Indicators:

Unusual traffic to system monitoring endpoints from unauthorized sources
Cookie manipulation attempts in HTTP headers

SIEM Query:

source="ruoyi" AND (uri_path="/monitor/*" OR cookie="JSESSIONID=*") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-57436

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-922

EPSS Score: 0.3% exploit probability (52.4th percentile)

Published: January 29, 2025

Last Updated: May 14, 2025

🔗 References

https://github.com/peccc/restful_vul/blob/main/ruoyi_elevation_of_privileges/ruoyi_elevation_of_privileges.md Exploit,Third Party Advisory
https://github.com/yangzongzhuan/RuoYi Product
https://ruoyi.vip/ Product
https://github.com/peccc/restful_vul/blob/main/ruoyi_elevation_of_privileges/ruoyi_elevation_of_privileges.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57436, you might also want to check these: