CVE-2025-70058 identifies a critical security vulnerability in YMFE yapi version 1.12.0 related to improper certificate validation (CWE-295). The root cause is the explicit disabling of TLS/SSL certificate verification by setting the 'rejectUnauthorized' flag to false within the HTTPS agent configuration used by Axios HTTP client requests. This misconfiguration effectively bypasses the security guarantees provided by HTTPS, allowing attackers positioned on the network path to intercept, modify, or spoof communications between the client and server without detection. Since TLS/SSL certificates are not validated, attackers can present fraudulent certificates, enabling man-in-the-middle (MITM) attacks that compromise confidentiality and integrity of data in transit. The vulnerability does not require user authentication or complex exploitation techniques, only the ability to intercept network traffic. Although no public exploits have been reported yet, the flaw is straightforward to exploit in environments where network interception is feasible, such as public Wi-Fi or compromised internal networks. The lack of a CVSS score suggests this is a newly published vulnerability, but the technical details indicate a high-risk issue. The vulnerability affects all deployments of YMFE yapi v1.12.0 that use Axios with this insecure configuration. Without proper certificate validation, sensitive information such as API tokens, credentials, or personal data can be exposed or manipulated by attackers.

The primary impact of CVE-2025-70058 is the compromise of confidentiality and integrity of data transmitted via HTTPS in affected YMFE yapi applications. Attackers can perform man-in-the-middle attacks to eavesdrop on sensitive information, inject malicious payloads, or hijack sessions. This can lead to data breaches, unauthorized access, and further exploitation of internal systems. Organizations relying on YMFE yapi for API management or development may face significant risks, especially if sensitive or regulated data is transmitted. The vulnerability can undermine trust in secure communications and may facilitate lateral movement within corporate networks if exploited. Given the widespread use of Axios and the popularity of YMFE yapi in certain developer communities, the scope of affected systems could be broad. The absence of authentication requirements and the ease of exploitation increase the threat level. Although no known exploits exist in the wild, the vulnerability presents a clear attack vector for adversaries with network access.

To mitigate CVE-2025-70058, organizations should immediately audit their YMFE yapi deployments and Axios HTTP client configurations to ensure 'rejectUnauthorized' is set to true or omitted to enforce default certificate validation. Developers must avoid disabling TLS/SSL verification in production environments. Applying patches or updates from YMFE yapi vendors that address this issue is critical once available. Network-level protections such as enforcing HTTPS with strict transport security (HSTS) and using network segmentation can reduce exposure. Employing certificate pinning where feasible can further protect against MITM attacks. Regular security code reviews and automated scanning for insecure TLS configurations in development pipelines are recommended. Additionally, educating developers about the risks of disabling certificate validation and establishing secure coding guidelines can prevent recurrence. Monitoring network traffic for suspicious MITM activity and using endpoint detection tools can help identify exploitation attempts.