CVE-2025-66736
📋 TL;DR
CVE-2025-66736 is an authorization bypass vulnerability in youlai-boot V2.21.1 where the importUsers function lacks proper permission checks. This allows authenticated regular users to import arbitrary user data into the database, potentially creating administrative accounts or modifying existing users. Organizations using youlai-boot V2.21.1 are affected.
💻 Affected Systems
- youlai-boot
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could create administrative accounts, modify existing user permissions, or completely compromise the system by importing malicious user data with elevated privileges.
Likely Case
Regular users gain unauthorized ability to create or modify user accounts, potentially escalating their privileges or disrupting normal system operations.
If Mitigated
With proper authentication and authorization controls, only authorized administrators can perform user import operations.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability details and proof-of-concept are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 9197065102f92264ded814a9d3e9f2a4ff0da121
Vendor Advisory: https://gitee.com/youlaiorg/youlai-boot/issues/ICH8FV
Restart Required: Yes
Instructions:
1. Update to the latest version of youlai-boot that includes the fix commit. 2. Rebuild the application. 3. Redeploy the updated application. 4. Restart the application server.
🔧 Temporary Workarounds
Add permission check to importUsers endpoint
allManually add authorization checks to the SysUserController.java file to restrict importUsers function to administrators only.
Modify SysUserController.java to include @PreAuthorize("hasRole('ADMIN')") annotation on importUsers method
Disable user import functionality
allTemporarily disable or restrict access to the user import endpoint through web application firewall or application configuration.
Configure WAF to block requests to /sys/user/import endpoint
Modify application security configuration to restrict endpoint access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the vulnerable application from sensitive systems
- Enable detailed logging and monitoring for user import activities and set up alerts for suspicious behavior
🔍 How to Verify
Check if Vulnerable:
Check if your youlai-boot version is V2.21.1 and examine SysUserController.java for missing @PreAuthorize annotation on importUsers method.Check Version:
Check application version in pom.xml or application.properties files, or use git log to verify commit history includes the fix.Verify Fix Applied:
Verify that the importUsers method in SysUserController.java now includes proper authorization annotations (@PreAuthorize) and test that regular users cannot access the import functionality.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /sys/user/import endpoint
- User import activities from non-administrative accounts
- Multiple user creation events in short timeframes
Network Indicators:
- HTTP POST requests to /sys/user/import from unauthorized IPs or users
- Unusual spikes in user management API calls
SIEM Query:
source="application.logs" AND (uri="/sys/user/import" AND NOT user_role="ADMIN")