CVE-2025-45615
📋 TL;DR
This vulnerability allows attackers to bypass access controls in yaoqishan's admin API, enabling unauthorized users to gain administrative privileges. It affects all deployments of yaoqishan v0.0.1-SNAPSHOT with the admin API exposed. Attackers can exploit this without authentication to take full control of affected systems.
💻 Affected Systems
- yaoqishan
📦 What is this software?
Yaoqishan by User Xiangpeng
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative control, allowing them to execute arbitrary commands, access sensitive data, modify configurations, and potentially pivot to other systems.
Likely Case
Attackers gain administrative access to the yaoqishan application, enabling them to view/modify all application data, change user permissions, and potentially execute code on the underlying system.
If Mitigated
With proper network segmentation and API access controls, impact is limited to the yaoqishan application instance only.
🎯 Exploit Status
The vulnerability requires crafting a specific request to the /admin/ API endpoint. No authentication is required to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/user-xiangpeng/yaoqishan/issues/29
Restart Required: No
Instructions:
1. Check the GitHub issue for any updates or patches. 2. If no official patch exists, consider workarounds or alternative software. 3. Monitor the repository for security updates.
🔧 Temporary Workarounds
Network Access Restriction
linuxBlock external access to the /admin/ API endpoint using firewall rules or network segmentation.
iptables -A INPUT -p tcp --dport [yaoqishan-port] -m string --string "/admin/" --algo bm -j DROP
Reverse Proxy Configuration
allConfigure reverse proxy (nginx/apache) to block requests to /admin/ endpoint from untrusted networks.
location /admin/ { deny all; }
🧯 If You Can't Patch
- Immediately restrict network access to the yaoqishan instance using firewall rules.
- Implement strict authentication and authorization controls at the network perimeter for the /admin/ endpoint.
🔍 How to Verify
Check if Vulnerable:
Attempt to access the /admin/ API endpoint without authentication. If you can perform admin operations, the system is vulnerable.Check Version:
Check the application version in configuration files or via application metadata endpoints.Verify Fix Applied:
Test that unauthorized requests to /admin/ endpoints are properly rejected with appropriate error codes (403 Forbidden).📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /admin/ endpoints
- Successful admin API calls from non-admin IP addresses
- Authentication bypass logs
Network Indicators:
- HTTP requests to /admin/ paths from unexpected sources
- Unusual traffic patterns to admin endpoints
SIEM Query:
source="yaoqishan" AND (uri_path="/admin/*" AND user="anonymous")