CVE-2025-12008: Yaay Social Media App Authorization Bypass Exposes User Data
The National Vulnerability Database has disclosed CVE-2025-12008, a critical authorization bypass vulnerability affecting APPYAP Technology and Information Inc.’s Yaay Social Media App. This flaw, present in versions 3.8.0 through 24102025, allows unauthenticated attackers to access functionalities not properly restricted by Access Control Lists (ACLs). The high CVSS score of 8.8 underscores the severity, indicating potential for attackers to achieve high impact on confidentiality, integrity, and availability.
This vulnerability stems from a user-controlled key mechanism, as detailed by CWE-639. Attackers can leverage this to bypass intended security checks, potentially leading to unauthorized data access, modification, or disruption of services. Given the nature of social media platforms, this could expose sensitive user information or allow malicious actors to impersonate users or manipulate content.
Defenders must prioritize patching or updating affected Yaay Social Media App instances immediately. Organizations should audit their environments for any unauthorized access or anomalous activity related to the app. Understanding the attack vector—accessing restricted functions via manipulated keys—is crucial for threat hunting and incident response.
What This Means For You
- If your organization uses or hosts the Yaay Social Media App (versions 3.8.0 to 24102025), you must patch immediately. This vulnerability allows bypassing access controls, meaning sensitive user data could be exposed or manipulated by unauthenticated attackers. Audit logs for any suspicious activity indicative of unauthorized function access.
Related ATT&CK Techniques
🛡️ Detection Rules
6 rules · 6 SIEM formats6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2025-12008
title: Web Application Exploitation Attempt — CVE-2025-12008
id: scw-2026-05-14-1
status: experimental
level: high
description: |
Detects common exploitation patterns targeting web applications. Review CVE-2025-12008 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2025-12008/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..'
- 'SELECT'
- 'UNION'
- '<script'
- 'cmd='
- '/etc/passwd'
condition: selection
falsepositives:
- Legitimate activity from CVE-2025-12008
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2025-12008 | Auth Bypass | APPYAP Technology and Information Inc. Yaay Social Media App |
| CVE-2025-12008 | Auth Bypass | Yaay Social Media App versions from 3.8.0 through 24102025 |
| CVE-2025-12008 | Auth Bypass | Authorization bypass through User-Controlled key |
| CVE-2025-12008 | Auth Bypass | Accessing Functionality Not Properly Constrained by ACLs |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6637: PostgreSQL 'refint' Module Allows RCE, SQLi
CVE-2026-6637 — Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the...
CVE-2026-6575 — Buffer over-read in PostgreSQL function
CVE-2026-6575 — Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array....
PostgreSQL Denial-of-Service Vulnerability: CVE-2026-6479 Impacts Older Versions
CVE-2026-6479 — Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial...