Re: Official statement for CVE-2025–43712 ?

574 views
Skip to first unread message

Julien Dubois

unread,
Jul 28, 2025, 12:08:16 PMJul 28
to Stefan Hansel, JHipster dev team
Hi Stefan!

Thank you for pointing this out!
I’m adding our public dev mailing list for awareness.
Yes, I confirm we do not endorse this CVE, and it only engages the author of the CVE and his company.

We have been discussing with them since several weeks, and had a close look (including myself directly).
They have not been able to prove any escalation to us, all they did is modify the UI to show the admin screens. This is also why we won’t fix it, as there’s nothing to fix.

Julien Dubois



Le lun. 28 juil. 2025 à 17:17, Stefan Hansel <stefan...@tecease.de> a écrit :
Hi Julien, 

I'm a long time (>7years) happy user of JHipster :D. Our dependabot now made us aware of CVE-2025–43712 ("privilige escalation"), but I cannot find any other information than those from the original author of this CVE.

As the original author claims, that JHipster rejected a fix, is there any official documentation available (i.e. if you consider this a bug or eventually why not)? I guess also a lot of other people are triggered via dependabot or user security checkers.

I'm writing to you, as you are listed as security contact for generator-jhipster.

My own analysis found out: 
  • I'm pretty sure, JHipster has proper backend validation of user access level on the admin endpoints. While I could reproduce, that I can make the Admin menu visible on the frontend by faking a backend response, I cannot list/create users without admin rights like claimed in the CVE
  • I compared current version 8.9.0 (according to the CVE with a fix) towards 8.8.0, but couldn't find any explicit change and/or a fix in the evaluation of rights (neither in frontend nor backend code)
  • I also wrote a comment in the medium article to contact the original author of the CVE. However he deleted my comments (duh :( )
We are still on JHipster 7.9.x, so if there is any fix that I might have overlooked, I'm happy to help with a backport, as only by the end of year we will finally have updated to JHipster 8.

I'm fine with users being able to see admin menus, as long as they are not functional.

Thanks a lot for your help.

Kind regards
Stefan
---
tecease GmbH
Friggastr. 28a, 14513 Teltow

Geschäftsführer: Stefan Hansel
HRB: 27906 P, Amtsgericht Potsdam
Reply all
Reply to author
Forward
0 new messages