Deserialization Vulnerability in y_project RuoYi up to 4.8.0
CVE-2025-0734

5.1MEDIUM

Key Information:

Vendor: Y Project
Status: Ruoyi
Vendor: CVE Published:; 27 January 2025

Badges

👾 Exploit Exists

What is CVE-2025-0734?

A deserialization vulnerability exists in the getBeanName function of the Whitelist component within y_project RuoYi versions up to 4.8.0. This vulnerability can be exploited remotely, allowing attackers to compromise the application by manipulating the deserialization process. Despite an early notification to the vendor regarding this issue, no response was provided. The exploit is publicly disclosed and poses a significant risk, as it could enable arbitrary code execution or potentially allow bypassing security restrictions.

Affected Version(s)

RuoYi 4.0

RuoYi 4.1

RuoYi 4.2

References

https://vuldb.com/?id.293512

vdb-entrytechnical-description

https://vuldb.com/?ctiid.293512

signaturepermissions-required

https://vuldb.com/?submit.482823

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Jan 27, 2025
Vulnerability published
Jan 27, 2025
Vulnerability Reserved
Jan 27, 2025

Credit

GSBP (VulDB User)

Y Project