CVE-2025-15119 – This vulnerability in JeecgBoot allows attacker... (How to Fix)

Q: What is the severity of CVE-2025-15119?

CVE-2025-15119 has a CVSS score of 3.1 (LOW). This vulnerability in JeecgBoot allows attackers to bypass authorization checks by manipulating the deptId parameter in the /sys/sysDepartRole/list endpoint. It enables unauthorized access to department role information, affecting all JeecgBoot deployments up to version 3.9.0.

📋 TL;DR

This vulnerability in JeecgBoot allows attackers to bypass authorization checks by manipulating the deptId parameter in the /sys/sysDepartRole/list endpoint. It enables unauthorized access to department role information, affecting all JeecgBoot deployments up to version 3.9.0.

💻 Affected Systems

Products:

JeecgBoot

Versions: Up to and including 3.9.0

Operating Systems: All platforms running JeecgBoot

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the vulnerable endpoint are affected regardless of configuration.

📦 What is this software?

Jeecg Boot by Jeecg

View all CVEs affecting Jeecg Boot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could enumerate department roles and potentially escalate privileges to access sensitive administrative functions or user data.

🟠

Likely Case

Unauthorized viewing of department role assignments and organizational structure information.

🟢

If Mitigated

Limited to information disclosure with no direct system compromise if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: MEDIUM - Remote exploitation is possible but requires specific parameter manipulation and has high complexity.

🏢 Internal Only: MEDIUM - Internal attackers could abuse this to map organizational structure and potentially identify privilege escalation paths.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploit details are publicly available but require specific parameter manipulation and understanding of the application structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure. Consider upgrading to any version beyond 3.9.0 if available, or implement workarounds.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block or sanitize requests to the vulnerable endpoint with suspicious deptId parameters

WAF-specific configuration required

Endpoint Restriction

all

Restrict access to /sys/sysDepartRole/list endpoint to authorized users only

Application-specific access control configuration

🧯 If You Can't Patch

Implement strict network segmentation to limit access to JeecgBoot administration interfaces
Deploy web application firewall with rules to detect and block parameter manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Test if unauthorized requests to /sys/sysDepartRole/list with manipulated deptId parameters return department role data

Check Version:

Check JeecgBoot version in application configuration or about page

Verify Fix Applied:

Verify that unauthorized requests to the endpoint return proper authorization errors

📡 Detection & Monitoring

Log Indicators:

Multiple failed authorization attempts on /sys/sysDepartRole/list
Unusual parameter values in deptId field

Network Indicators:

HTTP requests to /sys/sysDepartRole/list with non-standard deptId parameters

SIEM Query:

source="jeecgboot" AND uri="/sys/sysDepartRole/list" AND (status=200 OR parameter_anomaly=true)

📊 Metadata

CVE ID: CVE-2025-15119

CVSS v3 Score: 3.1 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-266

EPSS Score: 0.03% exploit probability (8.2th percentile)

Published: December 28, 2025

Last Updated: January 7, 2026

🔗 References

https://github.com/Hwwg/cve/issues/32 Exploit,Third Party Advisory,Issue Tracking
https://vuldb.com/?ctiid.338497 Permissions Required,VDB Entry
https://vuldb.com/?id.338497 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.711771 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15119, you might also want to check these: