CVE-2025-51825

Vulnerability

Description

CVE-2025-51825 is a SQL injection vulnerability in the JeecgBoot low-code platform, affecting versions 3.4.3 through 3.8.0. The flaw resides in the /jeecg-boot/online/cgreport/head/parseSql endpoint. The root cause is improper handling of subqueries in the SQL blacklist filter within AbstractQueryBlackListHandler.isPass(). When a malicious subquery is supplied, a type cast exception occurs, causing the list variable to become null and bypassing the blacklist check entirely [2][4].

Exploitation

An attacker with network access to the vulnerable endpoint can exploit this by crafting a SQL statement that includes a subquery, such as select schema_name from (information_schema.schemata). The POC demonstrates that this input passes the blacklist filter and returns results, whereas a direct query against information_schema.schemata is blocked [4]. The exploit requires a valid authentication token (as shown in the POC), indicating that the endpoint is likely protected by authentication but the vulnerability allows authenticated users to escalate their query capabilities [4].

Impact

Successful exploitation enables an attacker to execute arbitrary SQL queries against the underlying database. This can lead to unauthorized access to sensitive data, including database schema information, user credentials, and other application data. The POC specifically retrieves schema names from information_schema.schemata, demonstrating the ability to enumerate the database structure [4].

Mitigation

The vulnerability has been patched in commit ddf0f61ae59d217b59884921a98a0bc69b143f41, which adds additional blacklist checks for table names such as information_schema and peformance_schema [3]. Users are advised to upgrade to a fixed version of JeecgBoot (3.8.0 with the patch or later) to remediate the issue. No workarounds have been publicly documented.