RuoYi Management System v4.3.1 Release Notes and Security Vulnerability Fixes

RuoYi Management System v4.3.1 has been released, bringing a series of functional updates and security fixes.

National information security vulnerability – ensure cipherKey uniqueness to prevent command execution.

Upgrade Shiro to the latest 1.5.3 to block permission‑bypass vulnerability.

Clear verification code after use to prevent reuse.

Support decimal point in character checks and downgrade to exception alerts.

Add custom maxmin attribute to openOptions function.

Support maximization in openOptions .

Support multiple button callbacks in openOptions .

Add isLinkage to enable tab‑menu linkage.

Fix code‑generation import table‑structure exception handling.

Show default avatar when user avatar loading fails.

Excel export now supports dictionary types.

The system uses Apache Shiro’s RememberMe feature, but the default cipherKey is hard‑coded. Attackers can craft a malicious object, encrypt it, and place it in the RememberMe cookie, leading to deserialization and arbitrary command execution.

Detection: Check ShiroConfig.java for the default key value fCq+/xW488hMTCD+cmJ3aQ== . If present, replace it.

Solution: Upgrade to version >=v4.3.1 and generate a new unique cipherKey (do not leak).

# Shiro
shiro:
  cookie:
    # Set a unique key (generate once and copy to main)
    KeyGenerator keygen = KeyGenerator.getInstance("AES");
    SecretKey deskey = keygen.generateKey();
    System.out.println(Base64.encodeToString(deskey.getEncoded()));
    cipherKey: zSyK5Kp6PZAAjlT+eeNMlg==

Another critical issue is a SQL injection risk in PageHelper’s order‑by functionality, which lacks character validation, potentially exposing private data.

Detection: Look for String orderBy = pageDomain.getOrderBy(); in BaseController.java without proper checks.

Solution: Upgrade to >=v3.2.0 or add character validation using SqlUtil.escapeOrderBySql(pageDomain.getOrderBy()) .

package com.ruoyi.common.utils.sql;

import com.ruoyi.common.exception.base.BaseException;
import com.ruoyi.common.utils.StringUtils;

public class SqlUtil {
    public static String SQL_PATTERN = "[a-zA-Z0-9_\\ ,\\.]+";

    /** Check characters to prevent injection */
    public static String escapeOrderBySql(String value) {
        if (StringUtils.isNotEmpty(value) && !isValidOrderBySql(value)) {
            throw new BaseException("参数不符合规范，不能进行查询");
        }
        return value;
    }

    /** Validate order‑by syntax */
    public static boolean isValidOrderBySql(String value) {
        return value.matches(SQL_PATTERN);
    }
}

A Shiro permission‑bypass vulnerability exists in versions <=1.5.2 when combined with Spring dynamic controllers, allowing unauthorized remote attackers to bypass authentication.

Detection: Check pom.xml for Shiro version <=1.5.2 .

Solution: Upgrade Shiro to >=1.5.3 .

Fastjson <=1.2.68 suffers from a high‑risk deserialization vulnerability via the autoType switch, enabling remote code execution.

Detection: Verify Fastjson version in pom.xml .

Solution: Upgrade to >=1.2.70 .

Note: The default admin credentials are admin/admin123 . Change the super‑admin password in production. Use SysPasswordService.encryptPassword(String username, String password, String salt) to generate an MD5 hash.

Built‑in Features

User Management

Department Management

Post Management

Menu Management

Role Management

Dictionary Management

Parameter Management

Notice & Announcement

Operation Log

Login Log

Online Users

Scheduled Tasks

Code Generation (Java, HTML, XML, SQL)

System API Documentation

Service Monitoring (CPU, Memory, Disk, Heap)

Online Form Builder

Connection Pool Monitoring