CVE-2025-55948

Name of the Vulnerable Software and Affected Versions yzcheng90 X-SpringBoot version 6.0

Description The issue stems from a role-based access control (RBAC) implementation that relies on both frontend menu systems and backend permission tables, lacking atomic synchronization between them. A desynchronization occurs when frontend menu updates, like privilege revocation, do not immediately reflect in the backend permission table. This allows attackers to bypass UI restrictions and directly access privileged functions through tools like Postman by sending API requests to endpoints that should be inaccessible. Attackers can perform actions such as creating high-permission user accounts, accessing sensitive data, and executing admin-level commands. The vulnerable API endpoints are accessed directly, bypassing the intended access controls. The vulnerable parameters or variables are not explicitly mentioned.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.