CVE-2025-14051

MediumPublic PoC

Published: 04 December 2025

Published

04 December 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0004 12.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

Security Summary

CVE-2025-14051 is a vulnerability in youlaitech youlai-mall versions 1.0.0 and 2.0.0, affecting the functions getById, updateAddress, and deleteAddress within the file /mall-ums/app-api/v1/addresses/. The flaw stems from improper control of dynamically-identified variables, mapped to CWE-913 and CWE-914.

The vulnerability enables remote exploitation (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). Successful attacks can result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 6.3.

Advisories on VulDB and related GitHub issues document the issue, noting that an exploit has been published and is available for use. The vendor was contacted early regarding disclosure but provided no response, with no patches or official mitigations referenced.

Notable context includes the public availability of the exploit, which may facilitate real-world attacks against unpatched instances.

Details

CWE(s): CWE-913CWE-914

Affected Products

youlai

youlai-mall

1.0.0, 2.0.0

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1087 Account Discovery Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.

attack.mitre.org →

T1213 Data from Information Repositories Collection

Adversaries may leverage information repositories to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

IDOR in addresses API (/getById, /updateAddress, /deleteAddress) enables authenticated users to perform horizontal privilege escalation (T1068) by accessing/updating/deleting other users' PII without ownership checks, discover accounts via ID enumeration and exposed memberIds/names (T1087), collect data from the app repository (T1213), and manipulate stored data (T1565.001).

References

https://github.com/Hwwg/cve/issues/18
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://github.com/Hwwg/cve/issues/19
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.334367
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.334367
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.694827
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.694836
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.694837
Third Party Advisory, VDB Entry · cna@vuldb.com
https://github.com/Hwwg/cve/issues/18
Exploit, Issue Tracking, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/Hwwg/cve/issues/19
Exploit, Issue Tracking, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0