Unrated severityNVD Advisory· Published Jul 14, 2025· Updated Jul 15, 2025

Metersphere has SQL Injection Vulnerability in Sorting Field

CVE-2025-53639

Description

MeterSphere is an open source continuous testing platform. Prior to version 3.6.5-lts, the sortField parameter in certain API endpoints is not properly validated or sanitized. An attacker can supply crafted input to inject and execute arbitrary SQL statements through the sorting functionality. This could result in modification or deletion of database contents, with a potential full compromise of the application’s database integrity and availability. Version 3.6.5-lts fixes the issue.

Affected products

MeterSphere/MeterSpherellm-fuzzy
Range: <3.6.5-lts
metersphere/meterspherev5
Range: < 3.6.5-lts

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/metersphere/metersphere/security/advisories/GHSA-vcm3-5w3f-9f45mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000