Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.4
YAPI Disables SSL Certificate Verification for Axios Requests
CVE-2025-70058
GHSA-663h-2vr3-ghrj
Summary
YAPI's Axios configuration can be set to ignore SSL certificate warnings, making it vulnerable to man-in-the-middle attacks. This means that an attacker could intercept sensitive information and impersonate a trusted server. To protect against this, update your YAPI configuration to ensure SSL certificate verification is enabled.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| ymfe | yapi-vendor | <= 1.12.0 | – |
| ymfe | yapi | 1.12.0 | – |
Original title
yapi disables TLS/SSL certificate validation via rejectUnauthorized: false in Axios HTTPS agent
Original description
An issue pertaining to CWE-295: Improper Certificate Validation was discovered in YMFE yapi v1.12.0. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in the HTTPS agent configuration for Axios requests
nvd CVSS3.1
7.4
Vulnerability type
CWE-295
Improper Certificate Validation
- https://gist.github.com/zcxlighthouse/11c53803faf23f607c2787c166e811d4 Third Party Advisory
- https://github.com/YMFE Product
- https://github.com/YMFE/yapi Product
- https://nvd.nist.gov/vuln/detail/CVE-2025-70058
- https://github.com/YMFE/yapi/blob/59bade3a8a43e7db077d38a4b0c7c584f30ddf8c/commo...
- https://github.com/advisories/GHSA-663h-2vr3-ghrj
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026