CVE-2025-15585

CVE-2025-15585 is an authenticated SQL injection vulnerability in the library-file search functionality of FileFlows, a file processing application. The flaw exists in the LibraryFileService used by the /api/library-file/search endpoint, which is accessible to any authenticated user despite a FileFlowsAuthorize(UserRole.Files) decorator [1]. The root cause involves improperly sanitized user input passed into SQL queries when the underlying database is MySQL.

Exploitation

An attacker with any valid user session can exploit the vulnerability by sending a crafted POST request to the /api/library-file/search endpoint. The attack does not require special file permissions, as the [FileFlowsAuthorize] attribute on the search method allows all authenticated access, bypassing the more restrictive role check defined at the controller level [1].

Impact

Successful exploitation could lead to privilege escalation, allowing the attacker to gain higher-level permissions within the application, or data exfiltration, potentially accessing sensitive information stored in the database. The impact is limited to environments where FileFlows is configured with a MySQL backend [description].

Mitigation

The vulnerability is fixed in FileFlows version 25.05.2.05.2 [2]. Users running prior versions should upgrade immediately. No workaround is documented in the references.