CVE-2025-2655

CVE-2025-2655 is a SQL injection vulnerability in SourceCodester AC Repair and Services System 1.0, affecting the save_users and delete_users functions in the file /classes/Users.php. The issue arises from improper handling of the ID argument, allowing manipulation that leads to SQL injection. It is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no privileges or user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL payloads. Other parameters in the affected functions may also be vulnerable.

Advisories and details are documented in references including a GitHub proof-of-concept at https://github.com/Colorado-all/cve/blob/main/AC%20Repair%20and%20Services%20System%20using/SQL-8.md and VulDB entries at https://vuldb.com/?ctiid.300670, https://vuldb.com/?id.300670, https://vuldb.com/?submit.520017, and https://vuldb.com/?submit.696635. No specific patches or mitigations are detailed in the available information.

The exploit is public and may be used, increasing the risk for exposed instances of the affected system. The vulnerability was published on 2025-03-23.