CVE-2025-70058 identifies a critical security vulnerability in YMFE yapi version 1.12.0 related to improper certificate validation (CWE-295). The root cause is the explicit disabling of TLS/SSL certificate verification by setting the 'rejectUnauthorized' parameter to false in the HTTPS agent configuration used by Axios HTTP client requests. This misconfiguration allows the application to accept any TLS certificate, including self-signed or malicious ones, effectively bypassing the trust model of HTTPS. As a result, attackers positioned on the network path can intercept and manipulate sensitive data exchanged between the client and server through man-in-the-middle (MITM) attacks. The vulnerability does not require user interaction or authentication, but the attack complexity is high because the attacker must be able to intercept network traffic. The CVSS v3.1 base score is 7.4, indicating a high severity due to the impact on confidentiality and integrity, while availability remains unaffected. No patches or fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability was reserved in January 2026 and published in February 2026. Given the widespread use of Axios in Node.js applications and the specific use in YMFE yapi, this vulnerability poses a significant risk to API management platforms that rely on secure HTTPS communications.

The primary impact of CVE-2025-70058 is the compromise of confidentiality and integrity of data transmitted over HTTPS connections managed by YMFE yapi v1.12.0. Attackers capable of intercepting network traffic can exploit this vulnerability to decrypt, modify, or inject malicious content into API communications, potentially leading to data breaches, credential theft, session hijacking, or injection of malicious commands. This undermines trust in secure communications and can facilitate further attacks against backend systems or users. Since the vulnerability does not affect availability, denial-of-service is not a direct concern. However, the breach of sensitive data and integrity can have severe consequences for organizations, including regulatory penalties, reputational damage, and operational disruptions. The vulnerability affects any deployment of YMFE yapi that uses the vulnerable Axios configuration, especially those exposed to untrusted networks or the public internet.

To mitigate CVE-2025-70058, organizations should immediately audit their YMFE yapi configurations and source code to identify any instances where 'rejectUnauthorized' is set to false in Axios HTTPS agent configurations. The recommended action is to remove or set 'rejectUnauthorized' to true to enforce proper TLS/SSL certificate validation. Additionally, organizations should update to a patched version of YMFE yapi once available or apply custom patches that enforce certificate validation. Network-level protections such as TLS interception detection, strict transport security (HSTS), and network segmentation can reduce exposure. Employing certificate pinning where feasible can further mitigate MITM risks. Regular security assessments and penetration testing should verify that TLS configurations are correctly implemented. Monitoring network traffic for suspicious MITM activity and educating developers on secure TLS usage in Node.js applications are also critical steps.