CVE-2025-56161
📋 TL;DR
YOSHOP 2.0 exposes sensitive user information through unauthenticated API endpoints. Attackers can retrieve bcrypt password hashes, mobile numbers, and financial data without authentication. All deployments using the vulnerable Goods module are affected.
💻 Affected Systems
- YOSHOP 2.0
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers harvest password hashes for offline cracking, compromise user accounts, access financial data, and potentially pivot to other systems using stolen credentials.
Likely Case
Mass data exfiltration of user PII and password hashes leading to credential stuffing attacks and privacy violations.
If Mitigated
Limited exposure if API endpoints are firewalled or behind authentication, but still vulnerable to insider threats.
🎯 Exploit Status
Simple HTTP GET requests to comment-list endpoints with no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
1. Add $hidden or $visible attributes to User.php model to exclude sensitive fields. 2. Implement field filtering in Comment model's eager loading. 3. Add authentication to comment-list API endpoints.
🔧 Temporary Workarounds
API Endpoint Restriction
allBlock unauthenticated access to comment-list endpoints via web server or application firewall
# Example nginx location block
location ~* /api/goods\.pinglun/list {
deny all;
}
Model Field Filtering
allModify Comment model to explicitly select only non-sensitive fields when loading User relations
// In Comment model, replace eager loading with:
$this->with(['user' => function($query) {
$query->select('id', 'name', 'email'); // Only safe fields
}])
🧯 If You Can't Patch
- Implement network segmentation to restrict API endpoint access to trusted sources only
- Deploy WAF rules to detect and block requests attempting to access sensitive user fields
🔍 How to Verify
Check if Vulnerable:
Send GET request to /api/goods.pinglun/list (or similar endpoint) and check if response contains password_hash, mobile, pay_money, or expend_money fieldsCheck Version:
Check YOSHOP version in application configuration or composer.jsonVerify Fix Applied:
After applying fixes, verify same endpoint no longer returns sensitive fields and requires authentication📡 Detection & Monitoring
Log Indicators:
- Unusual volume of requests to comment-list endpoints
- Requests from unexpected IPs to API endpoints
Network Indicators:
- HTTP GET requests to paths containing 'goods.pinglun' or similar patterns
- Responses containing bcrypt hash patterns ($2a$, $2b$, $2y$)
SIEM Query:
http.method:GET AND (http.uri:*goods*pinglun* OR http.uri:*comment*list*) AND NOT user.authenticated:true