CVE-2025-55741: UnoPim has Broken Access Control
In Unopim, it is possible to create roles and choose the privileges. However, users without the “Delete” privilege for Products cannot delete a single product via the standard endpoint (expected behavior), but can still delete products via the mass-delete endpoint, even when the request contains only one product ID.
References
- github.com/advisories/GHSA-8p2f-fx4q-75cx
- github.com/unopim/unopim
- github.com/unopim/unopim/commit/c14eebe653aafd8dc713ca729165177e63315989
- github.com/unopim/unopim/commit/f49fa630afd36ff61c146b3e5bc7a0808667ca19
- github.com/unopim/unopim/security/advisories/GHSA-8p2f-fx4q-75cx
- nvd.nist.gov/vuln/detail/CVE-2025-55741
- youtu.be/J_WV8fCXlJM
Code Behaviors & Features
Detect and mitigate CVE-2025-55741 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →