CVE-2025-51667
Description
An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited SQL injection vulnerability, which may lead to partial data leakage or disruption of normal system operations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
simple-admin-core v1.2.0–v1.6.7 has a limited SQL injection in /sys-api/role/update, risking partial data leakage or service disruption.
Vulnerability
Overview
The /sys-api/role/update endpoint in simple-admin-core versions 1.2.0 through 1.6.7 contains a limited SQL injection vulnerability. The root cause is that the code parameter is directly concatenated into SQL statements targeting the casbin_rules table without proper sanitization [1][3]. However, the system restricts the code value to a maximum of 20 characters, which limits the exploit's scope [3].
Exploitation
Conditions
An attacker must be authenticated to reach the vulnerable endpoint, as the request requires a valid Bearer token [3]. The injection occurs in the role/update operation, where the attacker can manipulate the code field. Due to the 20-character length limit, direct exploitation is constrained, but a secondary injection scenario is possible: an attacker could first create a user with a crafted code containing the latter half of an SQL statement, then trigger the update to combine two 20-character segments into a 40-character payload [3]. This could be used to exfiltrate data from the casbin_rules table or modify its contents.
Impact
Successful exploitation could lead to partial data leakage from the casbin_rules table, which stores role-based access control rules. Additionally, an attacker could disrupt normal system operations by modifying table data or potentially launching a MySQL DDoS attack by sending multiple requests with long-sleep queries to exhaust database thread pools [3]. The impact is limited by the character restriction and the lack of a direct interface to view the casbin_rules table contents [3].
Mitigation
As of the publication date, no patch has been released. Users are advised to upgrade to a version beyond 1.6.7 once available, or apply input validation and parameterized queries to the code field as a workaround. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/suyuan32/simple-admin-coreGo | >= 1.2.0, < 1.6.8 | 1.6.8 |
Affected products
2- simple-admin-core/simple-admin-coredescription
- Range: >=1.2.0, <=1.6.7
Patches
1f1e2c4f3c55cfix: optimize role code validator to avoid sql injects
4 files changed · +5 −5
api/desc/core/role.api+1 −1 modified@@ -15,7 +15,7 @@ type ( Name *string `json:"name,optional" validate:"omitempty,max=30"` // Role code | 角色码 - Code *string `json:"code,optional" validate:"omitempty,max=20"` + Code *string `json:"code,optional" validate:"omitempty,max=15,alphanum"` // DefaultRouter | 默认首页 DefaultRouter *string `json:"defaultRouter,optional" validate:"omitempty,max=80"`
api/internal/handler/routes.go+1 −1 modified@@ -1,5 +1,5 @@ // Code generated by goctl. DO NOT EDIT. -// goctls v1.10.10 +// goctls v1.10.11 package handler
api/internal/types/types.go+2 −2 modified@@ -119,8 +119,8 @@ type RoleInfo struct { // max length : 30 Name *string `json:"name,optional" validate:"omitempty,max=30"` // Role code | 角色码 - // max length : 20 - Code *string `json:"code,optional" validate:"omitempty,max=20"` + // max length : 15 + Code *string `json:"code,optional" validate:"omitempty,max=15,alphanum"` // DefaultRouter | 默认首页 // max length : 80 DefaultRouter *string `json:"defaultRouter,optional" validate:"omitempty,max=80"`
core.json+1 −1 modified@@ -6128,7 +6128,7 @@ "code": { "description": "Role code | 角色码", "type": "string", - "maxLength": 20, + "maxLength": 15, "x-go-name": "Code" }, "createdAt": {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-f2m2-4q6r-cwc4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-51667ghsaADVISORY
- gist.github.com/66Giraffe66/fc258f7fcc65a6a1a1a01e217977b92dghsaWEB
- github.com/suyuan32/simple-admin-core/commit/f1e2c4f3c55cd5953ad7f7b0706df48adaaeb18aghsaWEB
- github.com/suyuan32/simple-admin-core/issues/333ghsaWEB
News mentions
0No linked articles in our index yet.