Overview
A medium-severity security vulnerability, identified as CVE-2025-13250, has been discovered in WeiYe-Jing datax-web versions up to 2.1.2. This vulnerability allows remote attackers to bypass access controls, potentially leading to unauthorized manipulation of data integration jobs. The exploit is publicly available, increasing the risk of exploitation.
Technical Details
The vulnerability resides within the Job Handler component of datax-web. Specifically, the remove, update, pause, start, and triggerJob functions are affected. An attacker can exploit this vulnerability by manipulating requests to these functions, circumventing the intended access controls. This allows them to perform actions on jobs they are not authorized to manage.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13250 is 6.3 (Medium). This score reflects the following characteristics:
- Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely.
- Attack Complexity (AC): Low (L) – Exploitation requires little to no specialized access or conditions.
- Privileges Required (PR): None (N) – No privileges are required to exploit the vulnerability.
- User Interaction (UI): None (N) – No user interaction is required to exploit the vulnerability.
- Scope (S): Unchanged (U) – An exploited vulnerability can only affect resources managed by the same security authority.
- Confidentiality Impact (C): None (N)
- Integrity Impact (I): Low (L) – There is some modification of data.
- Availability Impact (A): Low (L) – There is reduced performance or interruptions in resource availability.
Possible Impact
Successful exploitation of CVE-2025-13250 can have significant consequences:
- Unauthorized Job Manipulation: Attackers can modify, pause, start, or even delete data integration jobs.
- Data Corruption: By manipulating jobs, attackers can potentially corrupt or alter data being processed.
- Service Disruption: Unauthorized pausing or deletion of jobs can disrupt data integration processes.
- Data Exfiltration: While the CVSS score indicates low confidentiality impact, depending on the job configurations, attackers could potentially alter jobs to exfiltrate data to unauthorized locations.
Mitigation and Patch Steps
To address CVE-2025-13250, the following steps are recommended:
- Upgrade datax-web: Upgrade to a patched version of datax-web that addresses the broken access control vulnerability. Check the WeiYe-Jing website or official datax-web channels for updates. If a patch is unavailable, consider implementing compensating controls.
- Implement Access Control Lists (ACLs): Configure strict ACLs to limit access to the
remove,update,pause,start, andtriggerJobfunctions based on the principle of least privilege. - Input Validation: Implement robust input validation to prevent malicious manipulation of requests to the affected functions.
- Web Application Firewall (WAF): Deploy a WAF and configure rules to detect and block malicious requests targeting the vulnerable endpoints.
- Monitor and Audit: Continuously monitor datax-web logs for suspicious activity and implement audit trails to track all job-related actions.