CVE-2025-70060 Ymfe CVE debrief

Who should care

Administrators, developers, and security teams responsible for YMFE yapi 1.12.0 deployments should review this issue. It is especially relevant where yapi is used by multiple users, exposed over the network, or processes user-supplied content in web pages.

Technical summary

The official NVD data ties CVE-2025-70060 to cpe:2.3:a:ymfe:yapi:1.12.0 and CWE-79. The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating a remotely reachable flaw that depends on user interaction and can affect confidentiality and integrity at a low level. The source corpus does not provide a proof of concept, exploit chain, affected endpoint details, or a confirmed patched release.

Defensive priority

Medium. The issue is publicly documented and remotely reachable, but the available record suggests limited impact and requires user interaction. Prioritize it for web-facing yapi deployments and environments that accept untrusted input.

Recommended defensive actions

• Review the NVD and linked advisory/reference material for the latest remediation guidance.
• Determine whether any deployed instance is running YMFE yapi 1.12.0 and inventory exposed instances.
• Limit exposure of yapi to trusted networks and authenticated users until remediation is confirmed.
• Apply the vendor or upstream fix once a patched release is identified in official guidance.
• Validate any user-controlled content handling and review web-page generation paths for XSS hardening.

Evidence notes

Evidence in the supplied corpus comes from the official NVD modified record for CVE-2025-70060, which lists affected CPE cpe:2.3:a:ymfe:yapi:1.12.0:*:*:*:*:*:*:*, CWE-79 as the primary weakness, and CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The record also includes references to a third-party advisory gist and the YMFE GitHub organization/project pages. No exploit details, affected component subpaths, or fixed-version information are present in the supplied source item.

Official resources