CVE-2025-10979 – JeecgBoot up to version 3.8.2 has an improper a... (How to Fix)

Q: What is the severity of CVE-2025-10979?

CVE-2025-10979 has a CVSS score of 4.3 (MEDIUM). JeecgBoot up to version 3.8.2 has an improper authorization vulnerability in the /sys/role/exportXls endpoint that allows unauthorized access to role export functionality. This affects all JeecgBoot deployments using vulnerable versions. Attackers can remotely exploit this to access sensitive role data without proper authentication.

📋 TL;DR

JeecgBoot up to version 3.8.2 has an improper authorization vulnerability in the /sys/role/exportXls endpoint that allows unauthorized access to role export functionality. This affects all JeecgBoot deployments using vulnerable versions. Attackers can remotely exploit this to access sensitive role data without proper authentication.

💻 Affected Systems

Products:

JeecgBoot

Versions: Up to and including 3.8.2

Operating Systems: All platforms running JeecgBoot

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using default configurations are vulnerable. The vulnerability exists in the role management export functionality.

📦 What is this software?

Jeecg Boot by Jeecg

View all CVEs affecting Jeecg Boot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could export and exfiltrate all role configuration data including permissions, potentially enabling privilege escalation or lateral movement within the system.

🟠

Likely Case

Unauthorized access to role information and permissions data, compromising confidentiality of authorization structures.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact limited to unauthorized data access within segmented network zones.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely and public exploit is available, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems still vulnerable but require network access; risk depends on internal threat landscape and segmentation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on vulnerability databases and blogs. Attack requires access to the vulnerable endpoint but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.8.3 or later

Vendor Advisory: No official vendor advisory available (vendor did not respond to disclosure)

Restart Required: Yes

Instructions:

1. Upgrade JeecgBoot to version 3.8.3 or later. 2. Restart the application server. 3. Verify the /sys/role/exportXls endpoint now requires proper authorization.

🔧 Temporary Workarounds

Block vulnerable endpoint

all

Temporarily block access to the vulnerable /sys/role/exportXls endpoint using web application firewall or reverse proxy rules

# Example nginx location block:
location /sys/role/exportXls {
    deny all;
    return 403;
}

Implement authentication middleware

java

Add authentication check before processing exportXls requests

// Java example - add @RequiresPermissions annotation
@RequiresPermissions("sys:role:export")
@RequestMapping(value = "/exportXls", method = RequestMethod.GET)

🧯 If You Can't Patch

Implement network segmentation to restrict access to JeecgBoot administration interfaces
Deploy web application firewall with rules to detect and block unauthorized export requests

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[jeecgboot-host]/sys/role/exportXls without authentication. If it returns role data, the system is vulnerable.

Check Version:

Check JeecgBoot version in application.properties or via admin interface

Verify Fix Applied:

After patching, attempt the same access and verify it returns authentication error or access denied.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access to /sys/role/exportXls endpoint
Multiple export requests from single IP without authentication
Large data exports from role management endpoints

Network Indicators:

HTTP GET requests to /sys/role/exportXls without authentication headers
Unusual data transfer patterns from JeecgBoot servers

SIEM Query:

source="jeecgboot-logs" AND uri="/sys/role/exportXls" AND NOT (user!="anonymous" OR auth_success="true")

📊 Metadata

CVE ID: CVE-2025-10979

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-266

EPSS Score: 0.05% exploit probability (14.5th percentile)

Published: September 25, 2025

Last Updated: December 31, 2025

🔗 References

https://vuldb.com/?ctiid.325850 Permissions Required,VDB Entry
https://vuldb.com/?id.325850 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.653337 Third Party Advisory,VDB Entry
https://www.cnblogs.com/aibot/p/19063353 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10979, you might also want to check these: