CVE-2025-0734

Summary

A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. This vulnerability affects the function getBeanName of the component Whitelist. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
y_projectRuoYi4.0affected
y_projectRuoYi4.1affected
y_projectRuoYi4.2affected
y_projectRuoYi4.3affected
y_projectRuoYi4.4affected
y_projectRuoYi4.5affected
y_projectRuoYi4.6affected
y_projectRuoYi4.7affected
y_projectRuoYi4.8affected

Weaknesses

  • CWE-502: Deserialization
  • CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References