CVE-2025-45616: 
Java vulnerability analysis and mitigation

Incorrect access control vulnerability in the /admin/** API of brcc v1.2.0 was discovered on March 16, 2025, and is tracked as CVE-2025-45616. The vulnerability affects brcc versions up to and including v1.2.0, allowing attackers to gain unauthorized access to Admin rights through crafted requests. The issue has received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-284 (Improper Access Control) (NVD, Wiz).

The vulnerability exists in the UserAuthFilter class within the com.baidu.brcc.config package, specifically in the doFilter function. The issue stems from improper handling of request.getRequestURI() which does not properly parse special symbols in the request path. When developers configure the servlet contextPath as a prefix that matches patterns in noAuths (e.g., /v2), it can lead to authorization bypass. For example, if the context-path is configured as /v2 in the application.yml and /v2 is listed in noAuths, accessing http://127.0.0.1:8080/v2/admin/queryUser will expose private information to unauthorized users (GitHub Issue).

The vulnerability allows unauthorized attackers to bypass authentication and gain access to administrative functions through the /admin/** API. This could lead to exposure of sensitive information and unauthorized administrative access to the system (GitHub Issue, Wiz).

Users should review their servlet contextPath configurations and ensure they do not include patterns that match those in noAuths. The vulnerability affects brcc version 1.2.0 and earlier versions (GitHub Issue).