CVE-2025-14051
Published: 04 December 2025
Summary
CVE-2025-14051 is a medium-severity Improper Control of Dynamically-Managed Code Resources (CWE-913) vulnerability in Youlai Youlai-Mall. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of flaws such as improper control of dynamically-identified variables in the youlai-mall address functions.
SI-10 mandates validation and sanitization of inputs to the getById, updateAddress, and deleteAddress functions, directly preventing exploitation of dynamic variable manipulation.
RA-5 employs vulnerability scanning to identify deployments of vulnerable youlai-mall versions affected by CVE-2025-14051.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in addresses API (/getById, /updateAddress, /deleteAddress) enables authenticated users to perform horizontal privilege escalation (T1068) by accessing/updating/deleting other users' PII without ownership checks, discover accounts via ID enumeration and exposed memberIds/names (T1087), collect data from the app repository (T1213), and manipulate stored data (T1565.001).
NVD Description
A flaw has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function getById/updateAddress/deleteAddress of the file /mall-ums/app-api/v1/addresses/. Executing manipulation can lead to improper control of dynamically-identified variables. The attack can be executed remotely. The exploit has been published and…
more
may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-14051 is a vulnerability in youlaitech youlai-mall versions 1.0.0 and 2.0.0, affecting the functions getById, updateAddress, and deleteAddress within the file /mall-ums/app-api/v1/addresses/. The flaw stems from improper control of dynamically-identified variables, mapped to CWE-913 and CWE-914.
The vulnerability enables remote exploitation (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). Successful attacks can result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 6.3.
Advisories on VulDB and related GitHub issues document the issue, noting that an exploit has been published and is available for use. The vendor was contacted early regarding disclosure but provided no response, with no patches or official mitigations referenced.
Notable context includes the public availability of the exploit, which may facilitate real-world attacks against unpatched instances.
Details
- CWE(s)