CVE-2025-66916
Published: 08 January 2026
Summary
CVE-2025-66916 is a critical-severity Code Injection (CWE-94) vulnerability in Dromara Ruoyi-Vue-Plus. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the unfiltered user input to QLExpress by requiring validation techniques that block malicious expressions leveraging the File class for arbitrary file operations.
Provides for timely identification, reporting, and correction of the code injection flaw in the snailjob component of RuoYi-Vue-Plus.
Limits unauthenticated access to the vulnerable /snail-job/workflow/check-node-expression endpoint by explicitly defining and restricting permitted actions without identification or authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote code injection in public-facing endpoint enables T1190 exploitation; arbitrary file read directly facilitates T1005 data access.
NVD Description
The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/check-node-expression can execute QLExpress expressions, but it does not filter user input, allowing attackers to use the File class to perform arbitrary file reading and writing.
Deeper analysisAI
CVE-2025-66916 is a code injection vulnerability (CWE-94) in the snailjob component of RuoYi-Vue-Plus versions 5.5.1 and earlier. The affected interface, /snail-job/workflow/check-node-expression, executes QLExpress expressions derived from unfiltered user input. This allows attackers to leverage the File class within expressions to perform arbitrary file reading and writing operations. The vulnerability carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating critical severity due to its network accessibility and lack of prerequisites.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests to the vulnerable endpoint, as it requires no privileges or user interaction. Successful exploitation enables arbitrary file read and write access on the server, potentially leading to data exfiltration, modification of sensitive configurations, or persistence mechanisms, with high impacts on confidentiality and integrity alongside limited availability disruption.
References include a GitHub Gist detailing the issue (https://gist.github.com/Catherines77/e3f06b9c4cc6298579e858088a243c3d), the official RuoYi-Vue-Plus repository on Gitee (https://gitee.com/dromara/RuoYi-Vue-Plus), and a GitHub document on QLExpress exploitation in the project (https://github.com/Catherines77/code-au/blob/main/ruoyi-vue-plus/QLExpress.md), which security practitioners should review for mitigation guidance, patches, or upgrade instructions.
Details
- CWE(s)