Improper Access Control in youlaitech youlai-mall Product
CVE-2025-14052

5.3MEDIUM

Key Information:

Vendor: Youlaitech
Status: Youlai-mall
Vendor: CVE Published:; 5 December 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-14052?

A serious vulnerability has been identified in the youlaitech youlai-mall versions 1.0.0 and 2.0.0. The issue arises within the getMemberById function located in the /mall-ums/app-api/v1/members/ path, where improper access control measures allow for unauthorized manipulation of the memberId argument. This oversight enables potential attackers to exploit the system remotely, gaining access to sensitive member information. Despite early disclosure attempts to the vendor, no response has been received, raising concerns about the urgency for affected users to implement protective measures.

Affected Version(s)

youlai-mall 1.0.0

youlai-mall 2.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-14052 - Proof of Concept

References

https://vuldb.com/?id.334368

vdb-entrytechnical-description

https://vuldb.com/?ctiid.334368

signaturepermissions-required

https://vuldb.com/?submit.694854

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 5, 2025
👾
Exploit known to exist
Dec 5, 2025
Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Dec 4, 2025

Credit

huangweigang (VulDB User)

JSON

Youlaitech