How CVE-2025-28409 Works
The vulnerability in RuoYi v4.8.0 stems from improper permission validation in the `/add/{parentId}` endpoint. When a user attempts to add a menu item via the `add` method, the system fails to verify if the requesting user has legitimate privileges to modify the specified parentId. This allows an attacker to escalate privileges by injecting unauthorized menu items under higher-privileged sections, potentially gaining administrative access or manipulating system functionality. The lack of server-side authorization checks enables remote exploitation with a simple crafted HTTP request.
DailyCVE Form
Platform: RuoYi
Version: 4.8.0
Vulnerability: Privilege Escalation
Severity: Critical
Date: 04/09/2025
What Undercode Say:
Exploitation:
1. Craft Malicious Request:
curl -X POST 'http://target.com/add/1' -d '{"menuName":"Exploit","perms":"admin:"}' -H "Cookie: JSESSIONID=attacker_session"
2. Bypass Validation: The endpoint accepts the request without verifying user permissions.
3. Gain Elevated Access: Injected menu items grant unauthorized privileges.
Protection:
1. Patch: Apply vendor updates.
2. Input Validation:
@PreAuthorize("@ss.hasPermi('system:menu:add')") // Spring Security check
3. Log Monitoring:
grep "POST /add/" /var/log/ruoyi/access.log
4. WAF Rules: Block suspicious `parentId` tampering.
5. Network Segmentation: Restrict admin interface access.
Detection:
import requests
def check_vuln(url):
r = requests.post(f"{url}/add/1", json={"menuName":"test","perms":"user:edit"})
return r.status_code == 200 and "success" in r.text
Mitigation Commands:
-- Revoke stale permissions DELETE FROM sys_menu WHERE create_by = 'attacker_user';
Nginx rule to limit endpoint access
location ~ ^/add/ {
allow 192.168.1.0/24;
deny all;
}
Forensic Analysis:
Check added menu items jq '.data[] | select(.createBy=="unknown")' menu_export.json
References:
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-28409
Extra Source Hub:
Undercode
