Template Engine Vulnerability in zhijiantianya ruoyi-vue-pro by Zhijiantianya
CVE-2025-2040

5.3MEDIUM

Key Information:

Vendor
Zhijiantianya
Status
Ruoyi-vue-pro
Vendor
CVE Published:
6 March 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A significant vulnerability has been identified in zhijiantianya's ruoyi-vue-pro version 2.4.1, where improper handling of special elements in template engines may lead to exploitation. This issue stems from an unknown functionality in the endpoint /admin-api/bpm/model/deploy, allowing attackers to manipulate templates remotely. With the potential for public disclosure of this exploit, users are advised to secure their systems against possible attacks.

Affected Version(s)

ruoyi-vue-pro 2.4.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-2040 - Proof of Concept

References

https://vuldb.com/?id.298783
vdb-entry
https://vuldb.com/?ctiid.298783
signaturepermissions-required
https://vuldb.com/?submit.512574
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

uglory (VulDB User)
.