CVE-2023-27025: RuoYi vulnerable to arbitrary file download

April 2, 2023 (updated July 16, 2025)

An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to download arbitrary files in the server.

References

gitee.com/y_project/RuoYi
gitee.com/y_project/RuoYi/commit/432d5ce1be2e9384a6230d7ccd8401eef5ce02b0
gitee.com/y_project/RuoYi/issues/I697Q5
github.com/advisories/GHSA-h4c9-rr5m-32fm
nvd.nist.gov/vuln/detail/CVE-2023-27025

Code Behaviors & Features

Detect and mitigate CVE-2023-27025 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →