How CVE-2025-28408 Works
The vulnerability exists in RuoYi v4.8.0 due to improper validation of the `deptId` parameter in the `/selectDeptTree/{deptId}` endpoint. The `selectDeptTree` method fails to sanitize user-supplied input, allowing an attacker to manipulate the `deptId` parameter to bypass access controls. By crafting a malicious request with a manipulated department ID, an attacker can escalate privileges and gain unauthorized access to administrative functions. The lack of proper session validation and role-based checks enables this exploit to be executed remotely without authentication.
DailyCVE Form
Platform: RuoYi
Version: 4.8.0
Vulnerability: Privilege Escalation
Severity: Critical
Date: 04/09/2025
What Undercode Say:
Exploitation
1. Craft Malicious Request
curl -X GET "http://target.com/selectDeptTree/1' OR '1'='1"
2. SQL Injection Attempt
SELECT FROM sys_dept WHERE dept_id = '1' OR '1'='1';
3. Exploit via Burp Suite
GET /selectDeptTree/1%27%20OR%20%271%27%3D%271 HTTP/1.1 Host: vulnerable.target
Protection
1. Input Sanitization
public String selectDeptTree(@PathVariable("deptId") String deptId) {
if (!deptId.matches("[0-9]+")) {
throw new IllegalArgumentException("Invalid deptId");
}
// Proceed with logic
}
2. Patch Deployment
wget https://patch.ruoyi.com/security/CVE-2025-28408-fix.zip unzip CVE-2025-28408-fix.zip -d /var/www/ruoyi/
3. WAF Rule
location ~ /selectDeptTree/ {
if ($args ~ "[;'\"]") {
return 403;
}
}
4. Log Monitoring
grep -E "selectDeptTree.[';]" /var/log/nginx/access.log
5. Disable Endpoint Temporarily
@RestController
@RequestMapping("/api")
public class DeptController {
@Deprecated
@GetMapping("/selectDeptTree/{deptId}")
public String selectDeptTree(@PathVariable String deptId) {
return "Endpoint disabled for security reasons";
}
}
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-28408
Extra Source Hub:
Undercode
