CVE-2025-14908 – CVE-2025-14908 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2025-14908?

CVE-2025-14908 has a CVSS score of 6.3 (MEDIUM). CVE-2025-14908 is an authentication bypass vulnerability in JeecgBoot's multi-tenant management module that allows attackers to manipulate tenant ID parameters without proper authentication. This affects all JeecgBoot installations up to version 3.9.0. Attackers can exploit this remotely to potentially access or modify tenant data.

📋 TL;DR

CVE-2025-14908 is an authentication bypass vulnerability in JeecgBoot's multi-tenant management module that allows attackers to manipulate tenant ID parameters without proper authentication. This affects all JeecgBoot installations up to version 3.9.0. Attackers can exploit this remotely to potentially access or modify tenant data.

💻 Affected Systems

Products:

JeecgBoot

Versions: Up to and including 3.9.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the multi-tenant management module are affected regardless of configuration.

📦 What is this software?

Jeecg Boot by Jeecg

View all CVEs affecting Jeecg Boot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access, modify, or delete data across multiple tenants, potentially leading to data breaches, privilege escalation, or complete compromise of the multi-tenant environment.

🟠

Likely Case

Unauthorized access to tenant data, potential data leakage between tenants, and manipulation of tenant configurations.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact would be limited to the specific vulnerable component only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit has been publicly released and requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after commit e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2

Vendor Advisory: https://github.com/jeecgboot/JeecgBoot/issues/9196

Restart Required: Yes

Instructions:

1. Update JeecgBoot to version after commit e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2. 2. Apply the patch from GitHub. 3. Restart the application server. 4. Verify the fix by testing authentication requirements.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to the SysTenantController endpoints to authorized IPs only

iptables -A INPUT -p tcp --dport [APP_PORT] -s [TRUSTED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [APP_PORT] -j DROP

Web Application Firewall Rules

all

Implement WAF rules to block requests to vulnerable endpoints without proper authentication

🧯 If You Can't Patch

Implement strict network segmentation to isolate the vulnerable component from untrusted networks
Deploy additional authentication layers (API gateway, reverse proxy) in front of the vulnerable endpoints

🔍 How to Verify

Check if Vulnerable:

Check if your JeecgBoot version is 3.9.0 or earlier and if the SysTenantController endpoints accept requests without proper authentication

Check Version:

Check application.properties or pom.xml for version information, or use: grep -r "jeecg.boot.version" /path/to/jeecgboot/

Verify Fix Applied:

Test that requests to multi-tenant management endpoints now require proper authentication and tenant ID validation

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /sys/tenant/* endpoints
Requests with manipulated tenant ID parameters
Failed authentication attempts followed by successful tenant operations

Network Indicators:

Unusual traffic patterns to tenant management endpoints
Requests bypassing authentication mechanisms

SIEM Query:

source="jeecgboot" AND (uri_path="/sys/tenant/*" AND auth_status="failed") AND (http_status="200" OR http_status="201")

📊 Metadata

CVE ID: CVE-2025-14908

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-287

EPSS Score: 0.32% exploit probability (54.2th percentile)

Published: December 19, 2025

Last Updated: December 30, 2025

🔗 References

https://github.com/jeecgboot/JeecgBoot/commit/e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2 Patch
https://github.com/jeecgboot/JeecgBoot/issues/9196 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.337432 Third Party Advisory,VDB Entry
https://vuldb.com/?id.337432 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.715742 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14908, you might also want to check these: