CVE-2025-60514

Vulnerability

Analysis

CVE-2025-60514 is a SQL injection vulnerability in Tillywork, an open-source project. The flaw resides in the app/common/helpers/query.builder.helper.ts file and affects versions v0.1.3 and below. The root cause is that the server directly concatenates user-supplied values into SQL queries for the IN and NIN clauses without proper parameterization, making it susceptible to injection attacks.[1]

Exploitation

An authenticated user can exploit this vulnerability by inserting a single quote character into a value that is used in an IN or NIN clause. This input bypasses sanitization and breaks the SQL query structure. A simple proof of concept involves sending a single quote, which triggers a HTTP 500 internal server error, and the SQL syntax error becomes visible in the server log, confirming the injection point.[1]

Impact

Successful exploitation allows an authenticated attacker to inject malicious SQL commands and execute arbitrary queries against the database. Depending on database permissions, this could lead to unauthorized reading or modification of data, including potential privilege escalation or data exfiltration.

Mitigation

The vendor has addressed the issue via a hot fix in pull request #288 on the official GitHub repository. Users are strongly advised to apply the patch or upgrade to a patched version as soon as possible.[1]