CVE-2025-22954

CVE-2025-22954 is a SQL injection vulnerability in the GetLateOrMissingIssues function within the C4/Serials.pm module of Koha, an open-source library management system. The flaw affects Koha versions prior to 24.11.02 and is exploitable through the /serials/lateissues-export.pl script via the supplierid or serialid parameters. It has been assigned CWE-89 and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By injecting malicious SQL payloads into the supplierid or serialid parameters, attackers gain the ability to execute arbitrary SQL queries against the underlying database, potentially leading to high-impact outcomes such as unauthorized data extraction, modification, or deletion, as well as denial-of-service conditions. The changed scope (S:C) amplifies risks, allowing attackers to affect not only the targeted component but also related systems or data stores.

Mitigation is addressed in Koha 24.11.02, as detailed in the official release announcement and the associated bug report (Bugzilla #38829). Security practitioners should upgrade affected Koha installations to version 24.11.02 or later to patch the vulnerability, and review access controls for the /serials/lateissues-export.pl endpoint in the interim.