Primary

Context

JHipster Privilege Escalation Vulnerability

Vulnerability

A privilege escalation vulnerability exists in JHipster versions prior to 8.9.0. This vulnerability allows standard users to gain admin rights by manipulating the authorities parameter in the response from the api/account endpoint. The issue arises from inadequate server-side authorization checks, enabling unauthorized access to admin functionalities.

Impact

Exploitation of this vulnerability allows unauthorized users to access admin-level features, including user management and modification of sensitive user information.

Reproduction

To reproduce this vulnerability, register as a standard user on a JHipster application. After logging in, intercept the response from the '/api/account' endpoint, and locate the 'authorities' parameter, which will contain 'ROLE_USER'. Modify this value to 'ROLE_ADMIN' and send the altered response back to the application. The application will accept the change and grant access to admin functionalities.

Remediation

Users can update to JHipster version 8.9.0 or later, where this vulnerability is patched.

Added: Jul 25, 2025, 1:24 PM

Updated: Jul 25, 2025, 5:54 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

5.0

exploitability

5.6

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

5.0

exploitability

5.6

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

JHipster Privilege Escalation Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

JHipster

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating