CVE-2024-55160

GFast, a Go-based web framework, in versions from v2 to v3.2, contains a SQL injection vulnerability (CWE-89) via the OrderBy parameter in the /system/operLog/list endpoint. Assigned CVE-2024-55160 and published on 2025-02-27, this flaw earns a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation enables arbitrary SQL query execution against the backend database, granting high-impact access to confidentiality (e.g., data exfiltration), integrity (e.g., data tampering), and availability (e.g., denial of service).

Mitigation guidance and further details appear in advisories referenced at http://gfast.com and https://github.com/SuperDu1/CVE/issues/2. The vulnerable code is exposed in the project's os-v3.2 branch on GitHub, specifically at https://github.com/tiger1103/gfast/blob/os-v3.2/api/v1/system/sys_oper_log.go#L35 and https://github.com/tiger1103/gfast/blob/os-v3.2/internal/app/system/logic/sysOperLog/sys_oper_log.go#L121, with the full repository at https://github.com/tiger1103/gfast/tree/os-v3.2.