CVE-2025-56161 is a security vulnerability affecting YOSHOP 2.0, an e-commerce platform. The vulnerability arises from the Comment model in the Goods module, which eagerly loads the related User model without applying any field filtering. Specifically, the User.php model does not define any $hidden or $visible attributes to restrict which user fields are exposed. As a result, sensitive user information such as bcrypt password hashes, mobile phone numbers, pay_money, and expend_money fields are inadvertently included in JSON responses returned by the comment-list API endpoints. These endpoints are unauthenticated and publicly accessible, meaning that any attacker can query the comment-list API (e.g., /api/goods.pinglun/list or other deployment-specific route names) and retrieve sensitive user data without any credentials or user interaction. The vulnerability is due to improper data exposure caused by the lack of attribute filtering in the ORM model layer, leading to an information disclosure flaw. Although no CVSS score is assigned and no known exploits are reported in the wild yet, the vulnerability poses a significant risk because it leaks sensitive personal and financial information that could be used for identity theft, fraud, or further attacks such as credential stuffing or social engineering.

For European organizations using YOSHOP 2.0, this vulnerability could lead to severe privacy violations and regulatory non-compliance, especially under the GDPR framework, which mandates strict protection of personal data. The exposure of bcrypt password hashes, while hashed, still presents a risk if attackers attempt offline cracking to recover user passwords. Disclosure of mobile numbers and financial fields (pay_money, expend_money) can facilitate targeted phishing, fraud, or financial crimes. The information leak could damage customer trust and lead to reputational harm. Additionally, organizations may face legal penalties and fines for failing to protect sensitive user data. Since the API endpoints are unauthenticated and accessible publicly, the attack surface is broad, increasing the likelihood of automated scraping or mass data harvesting. This vulnerability could also be leveraged as a stepping stone for more sophisticated attacks against the affected organizations or their customers.

To mitigate this vulnerability, organizations should immediately implement field-level filtering in the User model by defining $hidden or $visible attributes to exclude sensitive fields such as password hashes, mobile numbers, and financial data from API responses. Code reviews and security audits should verify that all API endpoints exposing user-related data enforce strict data minimization principles. Deployers should also consider adding authentication and authorization checks on comment-list API endpoints to restrict access to authorized users only. Rate limiting and anomaly detection mechanisms can help detect and block automated scraping attempts. If possible, patching or upgrading to a fixed version of YOSHOP that addresses this issue should be prioritized once available. In the interim, organizations can implement web application firewalls (WAFs) with custom rules to monitor and block suspicious requests to vulnerable endpoints. Finally, affected organizations should notify users about the potential exposure and recommend password changes and vigilance against phishing attempts.