CVE-2023-43961
Description
Authentication bypass in Dromara SaToken ≤1.3.50RC due to mismatched URI path handling between Spring and SaToken, allowing access to protected endpoints with trailing slashes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authentication bypass in Dromara SaToken ≤1.3.50RC due to mismatched URI path handling between Spring and SaToken, allowing access to protected endpoints with trailing slashes.
Vulnerability
Details
An issue in Dromara SaToken version 1.3.50RC and earlier allows an authentication bypass when using Spring dynamic controllers. The root cause is a discrepancy in how SaToken and Spring handle URI path normalization. SaToken uses AntPathMatcher for route matching, while Spring normalizes URLs differently, particularly with trailing slashes. This inconsistency enables attackers to bypass permission checks by appending a trailing slash to protected endpoints [2][3].
Attack
Vector
The vulnerability can be exploited by sending a craft request to a protected URL with a trailing slash (e.g., /admin/password/ instead of /admin/password). An attacker must have network access to the application and does not need prior authentication since the bypass occurs before the permission check is enforced [3].
Impact
Successful exploitation allows an unauthenticated attacker to access endpoints that require specific permissions, leading to privilege escalation or unauthorized access to sensitive functionality and data. In the provided example, an endpoint requiring admin permission can be accessed with only a user-level login [3].
Mitigation
The vulnerability has been fixed in SaToken version 1.36.0. Users are strongly advised to upgrade to this version or later. There are no known workarounds for affected versions [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cn.dev33:sa-token-coreMaven | < 1.36.0 | 1.36.0 |
Affected products
2- Dromara/SaTokendescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"AntPathMatcher mismatch between SaToken and Spring: SaToken's path matcher treats `/admin/password` and `/admin/password/` as non-matching, while Spring normalizes the trailing slash and routes both to the same handler, allowing an attacker to bypass the authorization check by appending a trailing slash."
Attack vector
An attacker who has authenticated as a low-privileged user (e.g., with permission "user") can bypass the authorization check for protected endpoints by appending a trailing slash to the URL. For example, if SaToken is configured to require the "admin" permission for the path `/admin/password`, the attacker accesses `/admin/password/` instead. SaToken's AntPathMatcher evaluates `/admin/password/` as not matching the pattern `/admin/password`, so the permission check is skipped [ref_id=1]. However, Spring's path-matching normalizes the trailing slash and routes the request to the same controller method, granting unauthorized access to the resource [CWE-287][CWE-863].
Affected code
The vulnerability lies in SaToken's path-matching logic when used with Spring's dynamic controller dispatch. The affected component is SaToken's AntPathMatcher integration, which fails to normalize trailing slashes before matching against security-rule patterns [ref_id=1]. No specific file or function names are provided in the advisory.
What the fix does
The advisory states the vulnerability is fixed in version 1.36.0 [ref_id=1]. No patch diff is provided in the bundle. The fix likely involves normalizing trailing slashes in SaToken's path matching logic so that `/admin/password/` is treated equivalently to `/admin/password`, or applying a consistent path normalization before matching against security rules. This closes the differential-handling gap between SaToken and Spring that allowed the bypass.
Preconditions
- configThe application uses SaToken version <= 1.3.50RC with Spring dynamic controllers.
- configA protected endpoint is configured with a path pattern that does not account for trailing slashes (e.g., /admin/password).
- authThe attacker has a valid authenticated session (any permission level).
- inputThe attacker sends an HTTP request to the protected endpoint with a trailing slash appended to the path.
Reproduction
1. Configure SaToken to require the "admin" permission for the path `/admin/password` (as shown in the reference write-up's interceptor example). 2. Log in as a user with only the "user" permission (e.g., via `/user/doLogin?username=zhang&password=123456`). 3. Send a GET request to `/admin/password/` (with trailing slash). 4. Observe that the request reaches the controller and returns the protected resource, bypassing the permission check [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-w9vh-hv5g-7wmrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43961ghsaADVISORY
- github.com/dromara/Sa-Token/issues/511ghsaWEB
News mentions
0No linked articles in our index yet.