CVE-2025-15125 – This CVE describes an improper authorization vu... (How to Fix)

Q: What is the severity of CVE-2025-15125?

CVE-2025-15125 has a CVSS score of 3.1 (LOW). This CVE describes an improper authorization vulnerability in JeecgBoot's queryDepartPermission function. Attackers can manipulate the departId parameter to potentially access unauthorized department data. This affects JeecgBoot users up to version 3.9.0.

📋 TL;DR

This CVE describes an improper authorization vulnerability in JeecgBoot's queryDepartPermission function. Attackers can manipulate the departId parameter to potentially access unauthorized department data. This affects JeecgBoot users up to version 3.9.0.

💻 Affected Systems

Products:

JeecgBoot

Versions: Up to 3.9.0

Operating Systems: All platforms running JeecgBoot

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /sys/permission/queryDepartPermission endpoint specifically.

📦 What is this software?

Jeecg Boot by Jeecg

View all CVEs affecting Jeecg Boot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive department information, potentially leading to data exposure or privilege escalation.

🟠

Likely Case

Limited information disclosure of department-level data without full system compromise.

🟢

If Mitigated

Minimal impact with proper authorization controls and input validation in place.

🌐 Internet-Facing: MEDIUM - Attack can be launched remotely but requires specific knowledge and high complexity exploitation.

🏢 Internal Only: MEDIUM - Internal attackers with knowledge of the system could potentially exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploit has been released publicly but requires high complexity to execute successfully.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure. Consider upgrading to versions above 3.9.0 if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Authorization Check

all

Implement server-side validation of departId parameter and verify user authorization before processing requests.

Implement custom validation in queryDepartPermission function to verify user has proper department access rights

Endpoint Restriction

all

Restrict access to the vulnerable endpoint using network controls or application firewalls.

Configure web application firewall rules to monitor/block suspicious requests to /sys/permission/queryDepartPermission

🧯 If You Can't Patch

Implement strict access controls and monitor all requests to the vulnerable endpoint
Deploy web application firewall with custom rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check JeecgBoot version. If version is 3.9.0 or lower, the system is potentially vulnerable. Test the /sys/permission/queryDepartPermission endpoint with various departId values.

Check Version:

Check application configuration files or use JeecgBoot's built-in version endpoint if available.

Verify Fix Applied:

After implementing workarounds, test that unauthorized departId values are properly rejected and logged.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to /sys/permission/queryDepartPermission
Multiple failed authorization attempts with different departId values

Network Indicators:

Suspicious parameter manipulation in HTTP requests to the vulnerable endpoint

SIEM Query:

source="web_logs" AND uri="/sys/permission/queryDepartPermission" AND (status=200 OR parameter_manipulation_detected=true)

📊 Metadata

CVE ID: CVE-2025-15125

CVSS v3 Score: 3.1 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-266

EPSS Score: 0.03% exploit probability (8.2th percentile)

Published: December 28, 2025

Last Updated: December 30, 2025

🔗 References

https://github.com/Hwwg/cve/issues/38 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.338503 Permissions Required,VDB Entry
https://vuldb.com/?id.338503 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.711777 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15125, you might also want to check these: