CVE-2025-70058

Vulnerability

Overview

YMFE yapi v1.12.0 contains an improper certificate validation vulnerability (CWE-295). The application explicitly disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in the HTTPS agent configuration for Axios requests [1]. This configuration is found in the file common/postmanLib.js at line 110 [4].

Exploitation

Scenario

An attacker with network access to the traffic between a yapi instance and any HTTPS-based API it contacts can perform a man-in-the-middle attack. Because the application does not verify the server's TLS certificate, the attacker can present a forged certificate and intercept or modify the communication without detection. No prior authentication or user interaction is required beyond the attacker being positioned on the network path.

Impact

Successful exploitation allows an attacker to eavesdrop on sensitive data transmitted over HTTPS, such as API keys, authentication tokens, or user credentials. The attacker can also inject malicious responses, potentially leading to further compromise of the yapi instance or connected services. This undermines the security guarantees that TLS is meant to provide.

Mitigation

Status

As of the advisory date, no patch has been released for this vulnerability. Users of yapi v1.12.0 are advised to monitor the official GitHub repository [2] for updates. In the interim, administrators can mitigate the risk by deploying network-level controls such as TLS inspection proxies or VPNs to secure the communication paths. The project is open source and maintained by YMFE [3], so a fix may be forthcoming.