CVE-2025-66916 identifies a critical vulnerability in the snailjob component of RuoYi-Vue-Plus, an open-source Java-based rapid development framework widely used for enterprise applications. The vulnerability resides in the /snail-job/workflow/check-node-expression interface, which executes QLExpress expressions—a scripting language for Java environments. The core issue is the lack of input filtering or sanitization on user-supplied expressions, allowing attackers to inject malicious QLExpress code. Specifically, attackers can exploit the File class within QLExpress to perform arbitrary file read and write operations on the server hosting the application. This can lead to unauthorized disclosure of sensitive files, modification or deletion of critical data, and potentially remote code execution if attackers write malicious scripts or configuration files. The vulnerability affects all RuoYi-Vue-Plus versions 5.5.1 and earlier, with no authentication or user interaction required to exploit the flaw, making it highly accessible to remote attackers. Although no known exploits are currently reported in the wild, the simplicity of exploitation and the severity of impact make this a significant threat. The absence of a CVSS score necessitates an assessment based on impact and exploitability factors. Given the direct file system access and lack of input validation, the vulnerability poses a high risk to confidentiality, integrity, and availability of affected systems. Enterprises relying on RuoYi-Vue-Plus for workflow automation and business process management should consider this a priority security issue.

For European organizations, the impact of CVE-2025-66916 can be substantial. The arbitrary file read/write capability can lead to exposure of confidential business data, intellectual property, and personal data protected under GDPR, resulting in regulatory penalties and reputational damage. Attackers could modify configuration files or inject malicious code, potentially leading to system downtime or full compromise of enterprise applications. This could disrupt critical business operations, especially in sectors like finance, healthcare, and manufacturing where RuoYi-Vue-Plus might be used for internal process automation. The vulnerability’s ease of exploitation without authentication increases the likelihood of targeted attacks or opportunistic scanning by cybercriminals. Additionally, the breach of data confidentiality could trigger compliance violations under European data protection laws. The threat also extends to supply chain risks if compromised systems are integrated with other enterprise platforms. Overall, the vulnerability threatens operational continuity, data security, and regulatory compliance for European entities using the affected software.

To mitigate CVE-2025-66916, organizations should immediately implement strict input validation and sanitization on all QLExpress expressions processed by the snailjob component, particularly within the /snail-job/workflow/check-node-expression interface. Restrict or disable the use of sensitive classes such as File within QLExpress scripts to prevent unauthorized file system access. Monitor and log all usage of the vulnerable interface to detect anomalous or suspicious expression executions. Apply any available patches or updates from the RuoYi-Vue-Plus maintainers as soon as they are released. If patches are not yet available, consider temporarily disabling or restricting access to the vulnerable endpoint, especially from untrusted networks. Employ web application firewalls (WAFs) with custom rules to block malicious payloads targeting QLExpress injection. Conduct thorough code reviews and security testing of workflow automation components to identify similar injection risks. Educate development and security teams about the risks of executing untrusted expressions and enforce the principle of least privilege in application design. Finally, maintain regular backups and incident response plans to quickly recover from potential exploitation.