CVE-2025-14052 – This vulnerability in youlai-mall allows attack... (How to Fix)

Q: What is the severity of CVE-2025-14052?

CVE-2025-14052 has a CVSS score of 6.3 (MEDIUM). This vulnerability in youlai-mall allows attackers to bypass access controls by manipulating the memberId parameter in the getMemberById function. Attackers can remotely access unauthorized member data. All users running youlai-mall versions 1.0.0 or 2.0.0 are affected.

📋 TL;DR

This vulnerability in youlai-mall allows attackers to bypass access controls by manipulating the memberId parameter in the getMemberById function. Attackers can remotely access unauthorized member data. All users running youlai-mall versions 1.0.0 or 2.0.0 are affected.

💻 Affected Systems

Products:

youlaitech youlai-mall

Versions: 1.0.0 and 2.0.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /mall-ums/app-api/v1/members/ endpoint. All deployments with these versions are vulnerable by default.

📦 What is this software?

Youlai Mall by Youlai

View all CVEs affecting Youlai Mall →

Youlai Mall by Youlai

View all CVEs affecting Youlai Mall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive member information including personal data, credentials, or payment information, potentially leading to data breaches and identity theft.

🟠

Likely Case

Unauthorized access to member profiles and associated data, potentially exposing personal information and account details.

🟢

If Mitigated

With proper access controls and input validation, the vulnerability would be prevented, limiting access to authorized users only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit has been publicly disclosed and requires some authentication but bypasses authorization checks. Attackers need to manipulate the memberId parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor was contacted but did not respond. Consider workarounds or alternative solutions.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to ensure memberId parameter matches authenticated user's permissions

Modify getMemberById function to verify user authorization before processing memberId

Restrict API Access

all

Use web application firewall or reverse proxy to restrict access to vulnerable endpoint

Configure WAF rules to block suspicious parameter manipulation in /mall-ums/app-api/v1/members/

🧯 If You Can't Patch

Isolate the vulnerable system behind additional network segmentation
Implement strict monitoring and alerting for unauthorized access attempts to the members API

🔍 How to Verify

Check if Vulnerable:

Test if you can access member data by manipulating memberId parameter in API calls to /mall-ums/app-api/v1/members/

Check Version:

Check application configuration or package files for youlai-mall version

Verify Fix Applied:

Verify that unauthorized memberId values are rejected with proper authorization errors

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to member endpoints
Failed authorization attempts followed by successful member data access
Multiple memberId values accessed by single user session

Network Indicators:

Unusual API calls to /mall-ums/app-api/v1/members/ with manipulated parameters
High volume of member data requests from single source

SIEM Query:

source="application_logs" AND (uri="/mall-ums/app-api/v1/members/" AND status=200) | stats count by user, memberId

📊 Metadata

CVE ID: CVE-2025-14052

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-266

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: December 5, 2025

Last Updated: December 10, 2025

🔗 References

https://github.com/Hwwg/cve/issues/21 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.334368 Permissions Required,VDB Entry
https://vuldb.com/?id.334368 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.694854 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14052, you might also want to check these: