CVE-2025-46174 – Ruoyi v4.8.0 has an incorrect access control vu... (How to Fix)

Q: What is the severity of CVE-2025-46174?

CVE-2025-46174 has a CVSS score of 7.5 (HIGH). Ruoyi v4.8.0 has an incorrect access control vulnerability in the resetPwd method that allows unauthorized password resets. Attackers can reset passwords of any user account without proper permission checks. This affects all deployments using the vulnerable version of Ruoyi.

📋 TL;DR

Ruoyi v4.8.0 has an incorrect access control vulnerability in the resetPwd method that allows unauthorized password resets. Attackers can reset passwords of any user account without proper permission checks. This affects all deployments using the vulnerable version of Ruoyi.

💻 Affected Systems

Products:

Ruoyi

Versions: v4.8.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Ruoyi v4.8.0; other versions may be safe.

📦 What is this software?

Ruoyi by Ruoyi

View all CVEs affecting Ruoyi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of any user including administrators, leading to full system compromise and data breach.

🟠

Likely Case

Unauthorized password reset of regular user accounts enabling privilege escalation or lateral movement.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring detecting unauthorized password reset attempts.

🌐 Internet-Facing: HIGH - Web applications exposed to internet are directly exploitable.

🏢 Internal Only: MEDIUM - Internal attackers can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access but bypasses permission checks; public proof-of-concept available in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit ea4af7a8cf54393b11d3d286e0aaeb3df8a9aaef

Vendor Advisory: https://gitee.com/y_project/RuoYi/issues/IC1JZR

Restart Required: Yes

Instructions:

1. Update to latest Ruoyi version or apply commit ea4af7a8cf54393b11d3d286e0aaeb3df8a9aaef. 2. Rebuild and redeploy the application. 3. Restart application server.

🔧 Temporary Workarounds

Temporary access control hardening

all

Manually add permission checks to resetPwd method in SysUserController.java

Edit SysUserController.java to add @RequiresPermissions("system:user:resetPwd") annotation before resetPwd method

🧯 If You Can't Patch

Implement network-level access controls to restrict who can access the user management endpoints.
Enable detailed logging and monitoring for password reset attempts and implement alerting.

🔍 How to Verify

Check if Vulnerable:

Check if SysUserController.java resetPwd method lacks @RequiresPermissions annotation in Ruoyi v4.8.0.

Check Version:

Check application version in Ruoyi admin interface or project configuration files.

Verify Fix Applied:

Verify @RequiresPermissions("system:user:resetPwd") annotation exists before resetPwd method in patched version.

📡 Detection & Monitoring

Log Indicators:

Multiple password reset requests from single user
Password reset requests for accounts not owned by requester

Network Indicators:

POST requests to /system/user/resetPwd endpoint with different user IDs

SIEM Query:

source="web_logs" AND uri="/system/user/resetPwd" AND status=200 | stats count by src_ip, user_id

📊 Metadata

CVE ID: CVE-2025-46174

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-862

EPSS Score: 0.04% exploit probability (13.2th percentile)

Published: November 26, 2025

Last Updated: December 4, 2025

🔗 References

https://gist.github.com/Han-tj/29543ce0dae8cbb3bcbedca3390844a9 Third Party Advisory
https://gitee.com/y_project/RuoYi/commit/ea4af7a8cf54393b11d3d286e0aaeb3df8a9aaef Permissions Required
https://gitee.com/y_project/RuoYi/issues/IC1JZR Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46174, you might also want to check these: