CVE-2025-7901 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-7901?

CVE-2025-7901 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows attackers to inject malicious scripts via the configUrl parameter in Swagger UI within RuoYi systems. When exploited, it enables cross-site scripting attacks that can steal session cookies, redirect users, or perform actions on their behalf. Organizations running RuoYi up to version 4.8.1 with Swagger UI exposed are affected.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts via the configUrl parameter in Swagger UI within RuoYi systems. When exploited, it enables cross-site scripting attacks that can steal session cookies, redirect users, or perform actions on their behalf. Organizations running RuoYi up to version 4.8.1 with Swagger UI exposed are affected.

💻 Affected Systems

Products:

yangzongzhuan RuoYi

Versions: up to 4.8.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Swagger UI enabled and accessible. The vulnerability is in the /swagger-ui/index.html endpoint.

📦 What is this software?

Ruoyi by Ruoyi

View all CVEs affecting Ruoyi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full system access, and compromise sensitive data or deploy ransomware.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, perform unauthorized actions, or redirect to phishing sites.

🟢

If Mitigated

With proper input validation and output encoding, the attack fails, causing no impact beyond failed exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to trick a user into visiting a malicious URL. No authentication is needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.8.2 or later

Vendor Advisory: https://github.com/yangzongzhuan/RuoYi/issues/293

Restart Required: Yes

Instructions:

1. Update RuoYi to version 4.8.2 or later. 2. Restart the application server. 3. Verify the fix by testing the configUrl parameter.

🔧 Temporary Workarounds

Disable Swagger UI

all

Remove or restrict access to the Swagger UI endpoint to prevent exploitation.

# In application configuration, set swagger.enabled=false or remove /swagger-ui mapping

Input Validation Filter

all

Implement a web application firewall or filter to sanitize configUrl parameter inputs.

# Configure WAF rules to block script tags and JavaScript in URL parameters

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to block inline scripts and external resources.
Use network segmentation to isolate RuoYi instances and restrict access to trusted users only.

🔍 How to Verify

Check if Vulnerable:

Access /swagger-ui/index.html?configUrl=javascript:alert('test') and check if script executes. Use browser developer tools to inspect for script injection.

Check Version:

Check RuoYi version in application logs or configuration files; typically in application.yml or pom.xml for version 4.8.1 or earlier.

Verify Fix Applied:

After patching, test the same payload; it should not execute and should be properly encoded or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /swagger-ui/index.html with long or encoded parameters containing script tags or JavaScript.

Network Indicators:

HTTP requests with configUrl parameter containing javascript: or script payloads.

SIEM Query:

source="web_logs" AND uri="/swagger-ui/index.html" AND (param="configUrl" AND value MATCHES "javascript:*" OR "<script>*")

📊 Metadata

CVE ID: CVE-2025-7901

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.14% exploit probability (33.6th percentile)

Published: July 20, 2025

Last Updated: September 11, 2025

🔗 References

https://github.com/yangzongzhuan/RuoYi/issues/293 Exploit,Issue Tracking,Vendor Advisory
https://vuldb.com/?ctiid.317015 Permissions Required,VDB Entry
https://vuldb.com/?id.317015 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.618353 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7901, you might also want to check these: