CVE-2025-67342
📋 TL;DR
RuoYi versions 4.8.1 and earlier contain a stored cross-site scripting (XSS) vulnerability in the menu editing endpoint. Attackers with menu modification permissions can inject malicious scripts that execute in all users' browsers when they access the affected menu. This affects all users of vulnerable RuoYi installations.
💻 Affected Systems
- RuoYi
📦 What is this software?
Ruoyi by Ruoyi
⚠️ Risk & Real-World Impact
Worst Case
An attacker with menu editing privileges could steal session cookies, perform actions as other users, redirect to malicious sites, or deploy malware to all users accessing the system.
Likely Case
Attackers with legitimate menu editing permissions could steal administrative credentials or perform limited unauthorized actions through other users' sessions.
If Mitigated
With proper input validation and output encoding, the XSS filter would prevent script execution, limiting impact to data integrity issues.
🎯 Exploit Status
Exploitation requires authenticated access with menu editing permissions. The GitHub issue contains technical details about the bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.8.2 or later
Vendor Advisory: https://github.com/yangzongzhuan/RuoYi/issues/308
Restart Required: Yes
Instructions:
1. Backup your current installation. 2. Download RuoYi version 4.8.2 or later from the official repository. 3. Replace the vulnerable files with patched versions. 4. Restart the application server. 5. Verify the fix by testing the /system/menu/edit endpoint.
🔧 Temporary Workarounds
Input Validation Enhancement
allAdd additional input validation to sanitize menu data before storage
Modify the menu controller to implement strict input validation for all menu fields
Output Encoding
allEnsure proper output encoding when displaying menu data in templates
Update template files to use proper HTML encoding for all user-controlled data
🧯 If You Can't Patch
- Restrict menu editing permissions to only essential administrators
- Implement a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check if your RuoYi version is 4.8.1 or earlier by examining the version file or application propertiesCheck Version:
Check the ruoyi-admin/src/main/resources/application.yml file for version informationVerify Fix Applied:
After patching, attempt to inject XSS payloads into the menu edit form and verify they are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual menu modification activity
- Multiple failed XSS filter attempts
- Suspicious characters in menu data submissions
Network Indicators:
- POST requests to /system/menu/edit containing script tags or JavaScript code
- Unusual outbound connections from user browsers after menu access
SIEM Query:
source="ruoyi-logs" AND (uri="/system/menu/edit" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:"))