Dromara RuoYi-Vue-Plus Missing Authorization Vulnerability in Workflow Module

A vulnerability exists in Dromara RuoYi-Vue-Plus versions through 5.5.3, specifically within the Workflow Module. The issue arises in the SaServletFilter function of the deleteByInstanceIds endpoint, where the application fails to enforce proper authorization checks. This flaw allows authenticated users with low privileges to bypass access controls and perform sensitive actions, such as deleting process instances, terminating tasks, and changing task assignees, by directly using the affected API. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized access to critical workflow functions, enabling privilege escalation by allowing low-privileged users to perform actions reserved for higher-level users, such as deleting workflow instances and modifying task assignments.

Reproduction

To reproduce this vulnerability, log in as a low-privileged user who does not have administrative rights in the workflow module. After obtaining an authorization token, send a DELETE request to the /workflow/instance/deleteByInstanceIds endpoint, including the ID of a process instance created by an administrator. The server will respond with a 200 OK status, and the targeted instance will be deleted, demonstrating the privilege escalation. This vulnerability can also be reproduced by exploiting the related endpoints for terminating tasks and modifying task assignees.