CVE-2025-43712

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-43712
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43712.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-43712
Published
2025-07-25T13:15:29.927Z
Modified
2026-04-10T05:27:09.587167Z
Severity
  • 2.9 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLEUSER. By manipulating the authorities parameter and changing its value to ROLEADMIN, the privilege is successfully escalated to an Admin level. This allowed the access to all admin-related functionalities in the application. NOTE: this is disputed by the Supplier because there is no privilege escalation in the context of the JHipster backend (the report only demonstrates that, after using JHipster to generate an application, one can make a non-functional admin screen visible in the front end of that application).

References

Affected packages

Git / github.com/jhipster/generator-jhipster

Affected ranges

Type
GIT
Repo
https://github.com/jhipster/generator-jhipster
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4dda5aa7dc4c57862bc25979a09bd4a79940ca02
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "v.8.9.0"
        }
    ]
}

Affected versions

Other
untagged-94e0f1ee8d21ff6f87ca
v0.*
v0.10.0
v0.10.1
v0.11.0
v0.13.0
v0.14.0
v0.15.0
v0.16.0
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.3.1
v0.4.0
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.6.1
v0.6.2
v0.7.0
v0.7.1
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2
v1.3.0
v1.4.0
v1.5.0
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v2.*
v2.0.0
v2.1.0
v2.1.1
v2.10.0
v2.10.1
v2.11.0
v2.11.1
v2.12.0
v2.13.0
v2.13.1
v2.15.0
v2.15.1
v2.15.2
v2.16.0
v2.16.1
v2.17.0
v2.19.0
v2.2.0
v2.20.0
v2.21.0
v2.21.1
v2.22.0
v2.23.0
v2.23.1
v2.24.0
v2.25.0
v2.26.0
v2.26.1
v2.26.2
v2.27.0
v2.4.0
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.7.0
v2.8.0
v2.9.0
v2.9.1
v2.9.2
v3.*
v3.0.0
v3.1.0
v3.10.0
v3.11.0
v3.12.0
v3.12.1
v3.2.0
v3.2.1
v3.3.0
v3.4.0
v3.7.0
v3.7.1
v3.8.0
v3.9.0
v3.9.1
v4.*
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.1.0
v4.1.1
v4.10.0
v4.10.1
v4.10.2
v4.11.0
v4.11.1
v4.12.0
v4.13.0
v4.13.1
v4.13.2
v4.13.3
v4.14.0
v4.2.0
v4.3.0
v4.4.0
v4.4.1
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.5.6
v4.6.0
v4.6.1
v4.6.2
v4.7.0
v4.8.0
v4.8.1
v4.8.2
v4.9.0
v5.*
v5.0.0
v5.0.0-beta.0
v5.0.0-beta.1
v5.0.0-beta.2
v5.0.0-beta.3
v5.0.1
v5.0.2
v5.1.0
v5.2.0
v5.2.1
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.4.0
v5.4.1
v5.4.2
v5.5.0
v5.6.0
v5.7.0
v5.7.1
v5.7.2
v5.8.0
v5.8.1
v6.*
v6.0.0
v6.0.0-beta.0
v6.0.1
v6.1.0
v6.1.1
v6.1.2
v6.10.0
v6.2.0
v6.3.0
v6.3.1
v6.4.0
v6.4.1
v6.5.1
v6.6.0
v6.7.0
v6.7.1
v6.8.0
v6.9.0
v6.9.1
v7.*
v7.0.0
v7.0.0-beta.0
v7.0.0-beta.1
v7.0.1
v7.1.0
v7.2.0
v7.3.0
v7.3.1
v7.4.0
v7.4.1
v7.5.0
v7.6.0
v7.7.0
v7.8.0
v7.8.1
v7.9.0
v7.9.3
v8.*
v8.0.0
v8.0.0-beta.1
v8.0.0-beta.2
v8.0.0-beta.3
v8.0.0-rc.1
v8.1.0
v8.2.1
v8.4.0
v8.5.0
v8.6.0
v8.7.0
v8.7.1
v8.7.2
v8.7.3
v8.8.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43712.json"