Cyber Resilience

CVE-2025-66916

CriticalPublic PoCRCE

Published: 08 January 2026

Published
08 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0063 45.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-66916 is a critical-severity Code Injection (CWE-94) vulnerability in Dromara Ruoyi-Vue-Plus. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-66916 is a code injection vulnerability (CWE-94) in the snailjob component of RuoYi-Vue-Plus versions 5.5.1 and earlier. The affected interface, /snail-job/workflow/check-node-expression, executes QLExpress expressions derived from unfiltered user input. This allows attackers to leverage the File class within expressions to perform arbitrary file reading and writing operations. The vulnerability carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating critical severity due to its network accessibility and lack of prerequisites.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests to the vulnerable endpoint, as it requires no privileges or user interaction. Successful exploitation enables arbitrary file read and write access on the server, potentially leading to data exfiltration, modification of sensitive configurations, or persistence mechanisms, with high impacts on confidentiality and integrity alongside limited availability disruption.

References include a GitHub Gist detailing the issue (https://gist.github.com/Catherines77/e3f06b9c4cc6298579e858088a243c3d), the official RuoYi-Vue-Plus repository on Gitee (https://gitee.com/dromara/RuoYi-Vue-Plus), and a GitHub document on QLExpress exploitation in the project (https://github.com/Catherines77/code-au/blob/main/ruoyi-vue-plus/QLExpress.md), which security practitioners should review for mitigation guidance, patches, or upgrade instructions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/check-node-expression can execute QLExpress expressions, but it does not filter user input, allowing attackers to use the File class to perform arbitrary file reading and writing.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Direct unauthenticated remote code injection in public-facing endpoint enables T1190 exploitation; arbitrary file read directly facilitates T1005 data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29039Shared CWE-94
CVE-2024-11613Shared CWE-94
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-54451Shared CWE-94

Affected Assets

dromara
ruoyi-vue-plus
≤ 5.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the unfiltered user input to QLExpress by requiring validation techniques that block malicious expressions leveraging the File class for arbitrary file operations.

prevent

Provides for timely identification, reporting, and correction of the code injection flaw in the snailjob component of RuoYi-Vue-Plus.

prevent

Limits unauthenticated access to the vulnerable /snail-job/workflow/check-node-expression endpoint by explicitly defining and restricting permitted actions without identification or authentication.

References