CVE-2025-55371 – This vulnerability in jshERP v3.5 allows unauth... (How to Fix)

Q: What is the severity of CVE-2025-55371?

CVE-2025-55371 has a CVSS score of 5.3 (MEDIUM). This vulnerability in jshERP v3.5 allows unauthorized attackers to access sensitive handler information through the getAllList method in PersonController.java due to improper access control. Any organization using the vulnerable version is affected, potentially exposing employee or user data.

📋 TL;DR

This vulnerability in jshERP v3.5 allows unauthorized attackers to access sensitive handler information through the getAllList method in PersonController.java due to improper access control. Any organization using the vulnerable version is affected, potentially exposing employee or user data.

💻 Affected Systems

Products:

jshERP

Versions: v3.5

Operating Systems: Any OS running jshERP

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of jshERP v3.5.

📦 What is this software?

Jsherp by Jishenghua

View all CVEs affecting Jsherp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of all handler information including potentially sensitive personal data, credentials, or system access details leading to further compromise.

🟠

Likely Case

Unauthorized access to handler information enabling reconnaissance for targeted attacks or data harvesting.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external exploitation.

🌐 Internet-Facing: HIGH if the application is exposed to the internet without proper authentication controls.

🏢 Internal Only: MEDIUM as internal attackers could still exploit this to gain unauthorized access to sensitive information.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability appears to be exploitable without authentication by directly accessing the getAllList method.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub repository for updates beyond v3.5

Vendor Advisory: https://github.com/jishenghua/jshERP

Restart Required: No

Instructions:

1. Check the jshERP GitHub repository for security updates. 2. Apply the latest patch or upgrade to a fixed version. 3. Verify the PersonController.java file has proper access controls implemented.

🔧 Temporary Workarounds

Implement Access Control Middleware

all

Add authentication and authorization checks before the getAllList method execution

Modify PersonController.java to include proper @PreAuthorize or similar annotations

Network Segmentation

all

Restrict access to the jshERP application to authorized users only

Configure firewall rules to limit access to jshERP endpoints

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block unauthorized access to /controller/PersonController endpoints
Monitor and alert on unauthorized access attempts to the getAllList method

🔍 How to Verify

Check if Vulnerable:

Check if running jshERP v3.5 and test unauthorized access to the getAllList endpoint

Check Version:

Check application version in jshERP interface or configuration files

Verify Fix Applied:

Attempt unauthorized access to the getAllList method after patching - should return access denied

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /controller/PersonController
Multiple GET requests to getAllList endpoint from unauthenticated users

Network Indicators:

Unusual traffic patterns to PersonController endpoints
Requests bypassing authentication mechanisms

SIEM Query:

source="jshERP" AND (uri="/controller/PersonController" OR method="getAllList") AND user="anonymous"

📊 Metadata

CVE ID: CVE-2025-55371

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-284

EPSS Score: 0.05% exploit probability (16.2th percentile)

Published: August 21, 2025

Last Updated: September 9, 2025

🔗 References

http://jsherp.com Broken Link
https://github.com/cina666/CVE/blob/main/jshERP/%E8%B6%8A%E6%9D%83%E8%87%B4%E4%BB%BB%E6%84%8F%E6%8E%A5%E7%AE%A1%E8%B4%A6%E5%8F%B7.md Exploit,Third Party Advisory
https://github.com/jishenghua/jshERP Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55371, you might also want to check these: