CVE-2025-0734
Published: 27 January 2025
Description
A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. This vulnerability affects the function getBeanName of the component Whitelist. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-0734 is a deserialization vulnerability classified as critical in y_project RuoYi versions up to 4.8.0. It affects the getBeanName function within the Whitelist component, stemming from CWE-20 (Improper Input Validation) and CWE-502 (Deserialization of Untrusted Data). The issue enables remote manipulation leading to deserialization.
Attackers require high privileges (PR:H) to exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), yielding an overall CVSS v3.1 base score of 4.7 with unchanged scope (S:U).
Advisories note that the vendor was contacted early regarding disclosure but provided no response. A public exploit has been disclosed, including at a GitHub Gist, and may be actively used. Relevant references include VulDB entries at https://vuldb.com/?ctiid.293512, https://vuldb.com/?id.293512, and https://vuldb.com/?submit.482823.
The vulnerability was published on 2025-01-27, with the exploit publicly available shortly after disclosure.
Details
- CWE(s)