CVE-2025-9411 in ruoyi-goinfo

Summary

by MITRE • 08/26/2025

A security vulnerability has been detected in lostvip-com ruoyi-go up to 2.1. The impacted element is the function SelectPageList of the file modules/system/service/LoginInforService.go. The manipulation of the argument isAsc leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/10/2025

The vulnerability identified as CVE-2025-9411 represents a critical sql injection flaw within the ruoyi-go web application framework version 2.1 and earlier. This security weakness resides in the LoginInforService.go file where the SelectPageList function processes user input without adequate sanitization or validation. The specific vector of exploitation occurs through manipulation of the isAsc parameter which directly influences sql query construction. This type of vulnerability falls under CWE-89 sql injection, a well-documented weakness that allows attackers to execute arbitrary sql commands against the database backend. The application's failure to properly escape or parameterize user-supplied input creates an environment where malicious actors can craft sql payloads that bypass authentication mechanisms and potentially gain unauthorized access to sensitive data.

The operational impact of this vulnerability extends beyond simple data exfiltration to encompass complete system compromise and unauthorized administrative access. Remote exploitation means that attackers can initiate attacks from anywhere on the internet without requiring physical access to the target network. The disclosed exploit demonstrates that threat actors can manipulate the isAsc parameter to inject malicious sql code that could retrieve user credentials, personal information, or even execute destructive commands against the database. This vulnerability directly aligns with ATT&CK technique T1190 for exploiting vulnerabilities in web applications and T1071.004 for application layer protocol usage. The lack of vendor response despite early notification creates a particularly concerning scenario where organizations may remain unaware of the risk for extended periods, potentially allowing persistent threat actors to establish long-term footholds within their infrastructure.

Organizations utilizing the affected ruoyi-go framework must implement immediate mitigations to protect against exploitation. The primary defense involves parameterizing all database queries and implementing strict input validation for the isAsc parameter to ensure it only accepts predefined acceptable values such as true or false. Additionally, the application should employ prepared statements or stored procedures to prevent sql injection regardless of input content. Network-level protections including web application firewalls and intrusion detection systems should be configured to monitor for suspicious sql injection patterns targeting the specific endpoint. The absence of vendor response underscores the importance of proactive security measures and the need for organizations to maintain independent vulnerability assessment capabilities. Security teams should also conduct comprehensive penetration testing to identify similar vulnerabilities across the entire application stack and implement proper access controls to limit the potential damage from successful exploitation attempts.

Responsible

VulDB

Disclosure

08/26/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00317

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!