CVE-2025-7901 is a cross-site scripting (XSS) vulnerability identified in the yangzongzhuan RuoYi framework, specifically affecting versions up to 4.8.1. The vulnerability resides in the Swagger UI component, particularly in the processing of the /swagger-ui/index.html file. The issue arises from improper handling of the configUrl argument, which can be manipulated by an attacker to inject malicious scripts. This vulnerability is remotely exploitable without requiring authentication, although it does require user interaction (e.g., a victim visiting a crafted URL). The CVSS 4.0 base score is 5.3, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required. The impact primarily affects the confidentiality and integrity of the user's session or data, as the injected script could steal sensitive information or perform actions on behalf of the user. The vulnerability does not affect availability and does not require special conditions such as user authentication or elevated privileges. No known exploits are currently reported in the wild, and no patches have been linked yet. Given the involvement of Swagger UI, which is commonly used for API documentation and testing, the vulnerability could be leveraged to target developers or administrators accessing the affected interface, potentially leading to session hijacking or further exploitation within the affected environment.

For European organizations, the impact of CVE-2025-7901 could be significant in environments where the RuoYi framework is deployed, especially in internal or external-facing API documentation portals using Swagger UI. Successful exploitation could lead to theft of authentication tokens, session cookies, or other sensitive information, enabling attackers to impersonate legitimate users or escalate privileges. This could compromise internal systems, leak confidential data, or facilitate lateral movement within networks. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, could face compliance risks and reputational damage if such vulnerabilities are exploited. Moreover, since the vulnerability requires user interaction, targeted phishing or social engineering campaigns could be used to lure users into triggering the exploit. The lack of authentication requirement for exploitation increases the attack surface, making it easier for remote attackers to attempt exploitation. However, the medium severity rating and absence of known exploits suggest that while the threat is real, it may not be immediately critical but should be addressed promptly to prevent escalation.

1. Immediate mitigation should include restricting access to the Swagger UI interface to trusted internal networks or authenticated users only, reducing exposure to external attackers. 2. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the Swagger UI context. 3. Sanitize and validate all inputs, especially the configUrl parameter, to prevent injection of malicious scripts. 4. Monitor web server logs for unusual requests targeting /swagger-ui/index.html with suspicious configUrl parameters. 5. Educate users about the risk of clicking on untrusted links that may lead to malicious Swagger UI pages. 6. Apply patches or updates from the vendor as soon as they become available. 7. Consider deploying Web Application Firewalls (WAF) with rules to detect and block XSS payloads targeting Swagger UI endpoints. 8. Conduct regular security assessments and penetration testing focusing on API documentation interfaces and related components.