CVE-2025-45616

Vulnerability

Overview

CVE-2025-45616 describes an incorrect access control vulnerability in brcc v1.2.0, a distributed configuration center by Baidu. The flaw exists in the UserAuthFilter class, specifically in the doFilter method, where the filter uses request.getRequestURI() to determine if a request path matches a list of no-authorization paths (noAuths). The getRequestURI() method does not normalize special characters or URL-encoded sequences, leading to a path confusion vulnerability [1][3].

Exploitation

Scenario

An attacker can craft a request to the /admin/** API by prepending a context-path that is listed in the noAuths list. For example, if the developer configures the application's context-path as /v2 and that value is also present in noAuths, then accessing http://127.0.0.1:8080/v2/admin/queryUser bypasses authentication entirely. The filter matches /v2 against the no-auth list and calls chain.doFilter() without further checks, allowing the request to reach protected admin endpoints [3]. No authentication token or session is required for this bypass [2].

Impact

Successful exploitation allows an unauthenticated attacker to perform administrative actions such as viewing sensitive configuration data, modifying settings, or provisioning new users. Since brcc manages application configuration across environments and products, this could lead to exposure of credentials, API keys, and other secrets, potentially compromising the entire infrastructure depending on the deployment context [1].

Mitigation

The vulnerability affects all versions up to v1.2.0. Users should upgrade to a patched version when available. As of the advisory, no patch has been released, but the issue was reported to the vendor via GitHub [2][3]. A workaround is to avoid configuring any context-path that also appears in the noAuths list, or to implement additional authentication checks at the reverse proxy level. The CVE is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.