CVE-2025-70058
Published: 23 February 2026
Summary
CVE-2025-70058 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Ymfe Yapi. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2025-70058 is an instance of CWE-295 (Improper Certificate Validation) affecting YMFE yapi version 1.12.0. The vulnerability arises because the application disables TLS/SSL certificate validation by explicitly setting 'rejectUnauthorized': false in the HTTPS agent configuration used for Axios requests. This misconfiguration exposes the application to risks associated with unverified server certificates during outbound HTTPS communications. The issue carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to potential impacts on confidentiality and integrity.
Remote attackers with network access can exploit this vulnerability through a man-in-the-middle (MITM) attack, though it requires high attack complexity, such as controlling a network segment or compromising a trusted certificate authority. No privileges, user interaction, or scope change are needed. Successful exploitation allows attackers to intercept sensitive data in transit or tamper with request/response payloads, leading to high confidentiality and integrity violations without affecting availability.
For mitigation details and further analysis, refer to the provided references, including a GitHub Gist at https://gist.github.com/zcxlighthouse/11c53803faf23f607c2787c166e811d4 detailing the issue, as well as the YMFE organization page at https://github.com/YMFE and the yapi repository at https://github.com/YMFE/yapi. The vulnerability was published on 2026-02-23T16:29:36.433.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207650
Vulnerability details
An issue pertaining to CWE-295: Improper Certificate Validation was discovered in YMFE yapi v1.12.0. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in the HTTPS agent configuration for Axios requests
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper certificate validation (CWE-295) with rejectUnauthorized:false directly enables MITM positioning for interception/tampering of HTTPS traffic, mapping to Adversary-in-the-Middle.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires cryptographic protection of transmitted data, which mandates proper TLS certificate validation instead of disabling it via rejectUnauthorized:false.
Requires proper issuance, validation, and management of PKI certificates for all external connections, directly preventing the CWE-295 misconfiguration.
Mandates use of approved cryptographic mechanisms for protecting data in transit, addressing the disabled certificate checks in Axios HTTPS agents.