CVE-2025-15084 – This vulnerability in youlaitech youlai-mall al... (How to Fix)

Q: What is the severity of CVE-2025-15084?

CVE-2025-15084 has a CVSS score of 3.1 (LOW). This vulnerability in youlaitech youlai-mall allows attackers to bypass access controls in the order payment function, potentially manipulating payment processes. It affects youlai-mall e-commerce platform users running versions 1.0.0 or 2.0.0. The exploit requires remote access but has high complexity.

📋 TL;DR

This vulnerability in youlaitech youlai-mall allows attackers to bypass access controls in the order payment function, potentially manipulating payment processes. It affects youlai-mall e-commerce platform users running versions 1.0.0 or 2.0.0. The exploit requires remote access but has high complexity.

💻 Affected Systems

Products:

youlaitech youlai-mall

Versions: 1.0.0, 2.0.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Order Payment Handler component in the OMS module.

📦 What is this software?

Youlai Mall by Youlai

View all CVEs affecting Youlai Mall →

Youlai Mall by Youlai

View all CVEs affecting Youlai Mall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate payment transactions, potentially altering order amounts, payment statuses, or redirecting payments.

🟠

Likely Case

Unauthorized modification of order payment data, potentially affecting order fulfillment or payment processing integrity.

🟢

If Mitigated

Minimal impact with proper authentication and authorization controls in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploit is publicly available but requires specific knowledge of the application and high complexity to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor was contacted but did not respond. Consider implementing workarounds or migrating to alternative software.

🔧 Temporary Workarounds

Implement Custom Access Controls

all

Add additional authorization checks in the orderService.payOrder function to validate user permissions before processing payments.

Modify mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java to add proper authorization checks

Network Segmentation

all

Restrict access to the youlai-mall application to trusted networks only.

Configure firewall rules to limit access to application ports from authorized IP ranges only

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block suspicious order payment requests
Enable detailed logging of all order payment operations and monitor for unauthorized access patterns

🔍 How to Verify

Check if Vulnerable:

Check if running youlai-mall version 1.0.0 or 2.0.0 and examine the OrderController.java file for missing authorization checks in the payOrder function.

Check Version:

Check application configuration files or deployment manifests for version information

Verify Fix Applied:

Test that unauthorized users cannot access or manipulate the order payment functionality through the application interface.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to order payment endpoints
Unusual order payment modifications from unexpected user accounts

Network Indicators:

Suspicious POST requests to /api/order/pay or similar payment endpoints

SIEM Query:

source="youlai-mall-logs" AND (uri_path="/api/order/pay" OR uri_path="/order/payment") AND (user_role!="authorized_role" OR auth_status="failed")

📊 Metadata

CVE ID: CVE-2025-15084

CVSS v3 Score: 3.1 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-266

EPSS Score: 0.04% exploit probability (11.8th percentile)

Published: December 25, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/Hwwg/cve/issues/24 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.338412 Permissions Required,VDB Entry
https://vuldb.com/?id.338412 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.708174 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15084, you might also want to check these: