Vulnerability Description
This vulnerability fundamentally arises from yzcheng90 X-SpringBoot 6.0's implementation of role-based access control (RBAC) through dual dependency on frontend menu systems and backend permission tables, without enforcing atomic synchronization between these components. The critical flaw manifests when frontend menu updates (such as privilege revocation) fail to propagate to the backend permission table in real-time, creating a dangerous desynchronization. While users lose access to restricted functions through the web interface (as UI elements properly disappear), the stale permission records still validate unauthorized API requests when accessed directly through tools like Postman. Attackers exploiting this inconsistency can perform privileged operations including but not limited to: creating high-permission user accounts, accessing sensitive data beyond their clearance level, and executing admin-level commands.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Yzcheng90 | X-Springboot | 6.0 |
Related Weaknesses (CWE)
References
- https://github.com/liuchengjie01/vuln_db/blob/master/x-springboot3x-vul/x-springExploitThird Party Advisory
- https://github.com/yzcheng90/X-SpringBootProduct
FAQ
What is CVE-2025-55948?
CVE-2025-55948 is a vulnerability with a CVSS score of 7.3 (HIGH). This vulnerability fundamentally arises from yzcheng90 X-SpringBoot 6.0's implementation of role-based access control (RBAC) through dual dependency on frontend menu systems and backend permission tab...
How severe is CVE-2025-55948?
CVE-2025-55948 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55948?
Check the references section above for vendor advisories and patch information. Affected products include: Yzcheng90 X-Springboot.