CVE-2025-9410 in ruoyi-go
Summary
by MITRE • 08/26/2025
A weakness has been identified in lostvip-com ruoyi-go up to 2.1. The affected element is the function SelectListByPage of the file modules/system/dao/GenTableDao.go. Executing manipulation of the argument isAsc/orderByColumn can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/07/2025
The vulnerability CVE-2025-9410 represents a critical sql injection weakness in the lostvip-com ruoyi-go framework version 2.1 and earlier. This vulnerability resides within the SelectListByPage function located in modules/system/dao/GenTableDao.go, making it a significant security concern for applications utilizing this codebase. The flaw specifically manifests when processing user-controlled input through the arguments isAsc and orderByColumn, which are directly incorporated into sql query construction without adequate sanitization or parameterization.
The technical implementation of this vulnerability stems from improper input validation and query construction practices within the database access layer. When the isAsc and orderByColumn parameters are passed to the SelectListByPage function, they are concatenated directly into sql statements rather than being properly bound as parameters. This creates an environment where malicious actors can manipulate these parameters to inject arbitrary sql commands, effectively bypassing normal security controls and potentially gaining unauthorized access to sensitive data or system resources. The vulnerability's classification aligns with CWE-89 sql injection, which is a well-documented and highly dangerous weakness in database applications.
The operational impact of this vulnerability extends beyond simple data theft, as it enables attackers to perform complete database compromise through remote exploitation. The public availability of exploit code significantly amplifies the risk, as it removes the barrier to entry for potential attackers who may not possess advanced technical skills. Remote exploitation capabilities mean that attackers can target vulnerable systems without requiring physical access or network proximity, making the attack surface much broader. This vulnerability could result in data breaches, unauthorized system access, and potential lateral movement within compromised networks, particularly in environments where the ruoyi-go framework is widely deployed.
Organizations utilizing the affected ruoyi-go framework version 2.1 or earlier must implement immediate mitigations to protect their systems from exploitation. The primary recommendation involves implementing proper input validation and parameterized queries for all database operations, specifically ensuring that the isAsc and orderByColumn parameters are either strictly validated against known safe values or properly escaped and parameterized before database execution. Additionally, organizations should consider implementing web application firewalls and input sanitization layers to detect and prevent malicious injection attempts. The lack of vendor response to early disclosure highlights the importance of proactive security measures and the need for organizations to maintain independent vulnerability assessment and remediation processes. Security teams should also conduct comprehensive audits of their codebases to identify similar patterns of insecure database query construction that may be present in other modules or components.