CVE-2025-24799

CVE-2025-24799 is a SQL injection vulnerability (CWE-89) affecting GLPI, a free asset and IT management software package. The flaw exists in the inventory endpoint, allowing unauthenticated users to inject malicious SQL queries. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no privileges or user interaction required. The vulnerability was published on 2025-03-18 and is fixed in GLPI version 10.0.18.

An unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the inventory endpoint, enabling arbitrary SQL query execution. Successful exploitation allows the attacker to extract sensitive data from the underlying database, such as asset details, user information, or other IT management records, without impacting integrity or availability.

The official GLPI security advisory (GHSA-jv89-g7f7-jwfg) on GitHub confirms the issue and states that it is resolved in version 10.0.18. Security practitioners should update to this patched release immediately and review access to inventory endpoints, applying input validation and prepared statements as interim defenses where patching is delayed.