CVE-2025-43712

Name of the Vulnerable Software and Affected Versions JHipster versions prior to 8.9.0

Description JHipster versions prior to 8.9.0 are susceptible to privilege escalation through manipulation of the authorities parameter. After registering and logging in as a standard user, the authorities parameter within the response from the /api/account endpoint contains the value ROLE USER. By modifying this parameter to ROLE ADMIN, a user can escalate their privileges to an administrative level, gaining access to all admin-related functionalities. However, the validity of this report has been disputed, with some suggesting the issue only affects the front end and does not represent a backend privilege escalation.

Recommendations Update JHipster to version 8.9.0 or later.