CVE-2025-43712: Withdrawn Advisory: JHipster allows privilege escalation via a modified authorities parameter
(updated )
Withdrawn Advisory
This advisory has been withdrawn because the original report was found to be invalid. This link is maintained to preserve external references. For more information, see https://groups.google.com/g/jhipster-dev/c/ATSlWkEjw2w.
Original Description
JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLE_USER. By manipulating the authorities parameter and changing its value to ROLE_ADMIN, the privilege is successfully escalated to an Admin level. This allowed the access to all admin-related functionalities in the application.
References
- firecompass.com/cve-2025-43712-jhipster-platform-privilege-escalation-vulnerability-discovered-by-firecompass-research-added-to-nist
- github.com/advisories/GHSA-cmm8-gw4m-26cw
- github.com/jhipster/generator-jhipster
- github.com/jhipster/generator-jhipster/releases
- groups.google.com/g/jhipster-dev/c/ATSlWkEjw2w
- medium.com/@hritikgodara/cve-2025-43712-privilege-escalation-via-response-manipulation-in-the-jhipster-platform-5e18c0434def
- nvd.nist.gov/vuln/detail/CVE-2025-43712
Code Behaviors & Features
Detect and mitigate CVE-2025-43712 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →