CVE-2025-43712

EPSS 0.04%
Veröffentlicht 25.07.2025 13:15:29
Zuletzt bearbeitet 04.08.2025 12:15:26
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLE_USER. By manipulating the authorities parameter and changing its value to ROLE_ADMIN, the privilege is successfully escalated to an Admin level. This allowed the access to all admin-related functionalities in the application. NOTE: this is disputed by the Supplier because there is no privilege escalation in the context of the JHipster backend (the report only demonstrates that, after using JHipster to generate an application, one can make a non-functional admin screen visible in the front end of that application).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerJHipster

≫

Produkt JHipster

Default Statusunknown

Version < 8.9.0

Version 0

Status unknown

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.111

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve@mitre.org	2.9	1.4	1.4	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	8	2.1	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-451 User Interface (UI) Misrepresentation of Critical Information

The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

https://github.com/jhipster/generator-jhipster/releases

https://medium.com/@hritikgodara/cve-2025-43712-privilege-escalation-via-response-manipulation-in-the-jhipster-platform-5e18c0434def

https://groups.google.com/g/jhipster-dev/c/ATSlWkEjw2w

https://firecompass.com/cve-2025-43712-jhipster-platform-privilege-escalation-vulnerability-discovered-by-firecompass-research-added-to-nist/

https://nvd.nist.gov/vuln/detail/CVE-2025-43712

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-43712

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-43712

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-43712