Moderate severityNVD Advisory· Published Mar 11, 2025· Updated Mar 12, 2025

Pimcore Vulnerable to SQL Injection in getRelationFilterCondition

CVE-2025-27617

Description

Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pimcore/pimcorePackagist	< 11.5.4	11.5.4

Affected products

Pimcore/Pimcorev5
Range: < 11.5.4

Patches

19a852089548

[Task]: Improve quotation in RelationFilterConditionParser (#18184)

https://github.com/pimcore/pimcoreJiaJia JiMar 11, 2025via ghsa

commit

1 file changed · +9 −4

models/DataObject/ClassDefinition/Data/Extension/RelationFilterConditionParser.php+9 −4 modified

@@ -16,6 +16,8 @@
 
 namespace Pimcore\Model\DataObject\ClassDefinition\Data\Extension;
 
+use Pimcore\Db\Helper;
+
 /**
  * Trait RelationFilterConditionParser
  *
@@ -28,16 +30,19 @@ trait RelationFilterConditionParser
      */
     public function getRelationFilterCondition(?string $value, string $operator, string $name): string
     {
-        $result = '`' . $name . '` IS NULL';
+        $db = \Pimcore\Db::get();
+        $result = $db->quoteIdentifier($name) . ' IS NULL';
         if ($value === null || $value === 'null') {
             return $result;
         }
         if ($operator === '=') {
-            return '`' . $name . '` = ' . "'" . $value . "'";
+            return $db->quoteIdentifier($name) . ' = ' . $db->quote($value);
         }
         $values = explode(',', $value);
-        $fieldConditions = array_map(function ($value) use ($name) {
-            return '`' . $name . "` LIKE '%," . $value . ",%' ";
+        $fieldConditions = array_map(function ($value) use ($name, $db) {
+            $quotedValue = $db->quote('%,' . Helper::escapeLike($value) . ',%');
+
+            return $db->quoteIdentifier($name) . ' LIKE ' . $quotedValue . ' ';
         }, array_filter($values));
         if (!empty($fieldConditions)) {
             $result = '(' . implode(' AND ', $fieldConditions) . ')';

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qjpx-5m2p-5pghghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-27617ghsaADVISORY
github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Extension/RelationFilterConditionParser.phpghsax_refsource_MISCWEB
github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Multiselect.phpghsax_refsource_MISCWEB
github.com/pimcore/pimcore/commit/19a8520895484e68fd254773e32476565d91deeaghsax_refsource_MISCWEB
github.com/pimcore/pimcore/security/advisories/GHSA-qjpx-5m2p-5pghghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000