CVE-2025-2112
Published: 08 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2112 is a critical SQL injection vulnerability in the yaoqishan project developed by user xiangpeng, affecting versions up to commit a47fec4a31cbd13698c592dfdc938c8824dd25e4. The issue resides in the getMediaLisByFilter function within the file cn/javaex/yaoqishan/service/media_info/MediaInfoService.java, where manipulation of the typeId argument enables SQL injection. This Java-based component is part of a project using rolling releases, so specific affected and patched version details are unavailable.
The vulnerability can be exploited remotely by attackers with low privileges (PR:L), requiring no user interaction and low attack complexity (AC:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as scored at CVSS 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It is associated with CWE-74 (Improper Neutralization of Special Elements) and CWE-89 (SQL Injection).
Advisories from VulDB and a GitHub repository detail the vulnerability, including a publicly disclosed exploit in yaoqishan-sql.md. The vendor was contacted early but provided no response, and no patches or mitigations are specified due to the rolling release model. Security practitioners should review and sanitize inputs to the affected function or isolate the component.
The exploit has been publicly disclosed and may be in use, with references available on GitHub and VulDB for further analysis.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote SQL injection in public-facing Java web service (MediaInfoService.getMediaLisByFilter) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505 per VulDB), and data collection from databases (T1213.006).