CVE-2025-0558

CVE-2025-0558 is a SQL injection vulnerability classified as critical in TDuckCloud tduck-platform versions up to 4.0. The issue resides in the QueryProThemeRequest function within the file src/main/java/com/tduck/cloud/form/request/QueryProThemeRequest.java, where manipulation of the 'color' argument enables SQL injection. It is associated with CWE-74 (Improper Neutralization of Special Elements) and CWE-89 (SQL Injection), carrying a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The vulnerability was published on 2025-01-18.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection, potentially enabling unauthorized data access, modification, or denial of service on the affected platform.

Advisories from VulDB and a related GitHub repository indicate that an exploit has been publicly disclosed and may be actively used. The vendor was contacted early regarding the issue but has not responded or provided any patches or mitigations as of the latest information. Security practitioners should isolate affected instances, monitor for anomalous queries involving the 'color' parameter, and consider input validation or upgrades if available.