CVE-2025-46175: Critical Access Control Flaw Discovered in Ruoyi v4.8.0

Overview

CVE-2025-46175 identifies a critical Incorrect Access Control vulnerability found in Ruoyi version 4.8.0. This flaw stems from a missing permission check within the authRole method of SysUserController.java, potentially allowing unauthorized users to manipulate role assignments beyond their intended scope. This can lead to privilege escalation and unauthorized data access.

Technical Details

The vulnerability lies specifically in the authRole method within the SysUserController.java file of Ruoyi v4.8.0. A crucial checkUserDataScope permission check is absent, meaning that under certain conditions, users can potentially modify role assignments for other users or roles without the proper authorization. This can bypass intended security restrictions and lead to unauthorized actions.

The vulnerable code is located within the mentioned method, where role update operations are performed without validating the user’s authority to perform the changes within the specific data scope.

Example code snippet (illustrative – may differ slightly):

            
            // In SysUserController.java - authRole method (Vulnerable Version)
            public AjaxResult authRole(Long userId, Long[] roleIds) {
                // Missing checkUserDataScope permission check here!

                // Update user's roles based on roleIds
                userService.authRole(userId, roleIds);
                return AjaxResult.success();
            }
            
        

CVSS Analysis

Due to the missing severity and CVSS score, it is important to estimate the potential severity. While the provided information lacks a formal CVSS score, the nature of the vulnerability (Incorrect Access Control) suggests a high potential impact. Incorrect access control issues can often lead to significant data breaches, privilege escalation, and unauthorized system modifications. A CVSS score calculation would likely result in a HIGH severity rating depending on exploitability and scope.

Note: A formal CVSS score calculation by a qualified security professional is recommended for a precise assessment.

Possible Impact

The exploitation of CVE-2025-46175 could have severe consequences, including:

• Privilege Escalation: Users with limited privileges could potentially escalate their access by manipulating role assignments.
• Unauthorized Data Access: Attackers could gain access to sensitive data by assigning themselves roles with broader permissions.
• System Compromise: Complete system compromise is possible if attackers can gain administrative privileges.
• Data Breaches: Sensitive information could be exposed due to unauthorized access to user accounts and related data.

Mitigation or Patch Steps

To mitigate the risk posed by CVE-2025-46175, the following steps are recommended:

1. Upgrade to the Latest Version: Upgrade Ruoyi to a version that includes the fix for this vulnerability. According to the commit history, the fix is included in versions after the commit f935b2782f4237cdbcc13bdce76703e82c42f4fe.
2. Apply the Patch: If upgrading is not immediately feasible, apply the patch provided in the commit linked above to the SysUserController.java file. The patch should implement the missing checkUserDataScope permission check within the authRole method.
3. Review User Permissions: Conduct a thorough review of user roles and permissions to identify and correct any unauthorized or excessive access rights.
4. Implement Security Auditing: Implement security auditing to monitor user activity and detect any suspicious or unauthorized actions.

References

• CVE ID: CVE-2025-46175
• Gist: https://gist.github.com/Han-tj/74d2ed84ede1909da55090fed410d288
• Commit: https://gitee.com/y_project/RuoYi/commit/f935b2782f4237cdbcc13bdce76703e82c42f4fe
• Issue: https://gitee.com/y_project/RuoYi/issues/IC1FS0