CVE-2025-9412 in ruoyi-goinfo

Summary

by MITRE • 08/26/2025

A vulnerability was detected in lostvip-com ruoyi-go up to 2.1. This affects the function SelectListByPage of the file modules/system/dao/DictDataDao.go. The manipulation of the argument orderByColumn/isAsc results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/10/2025

The vulnerability identified as CVE-2025-9412 represents a critical sql injection flaw within the ruoyi-go web application framework version 2.1 and earlier. This vulnerability specifically impacts the SelectListByPage function located in the modules/system/dao/DictDataDao.go file, which serves as a data access object for dictionary data operations. The flaw arises from insufficient input validation and sanitization of user-supplied parameters that are directly incorporated into sql query construction without proper escaping or parameterization. The affected parameters orderByColumn and isAsc are processed in a manner that allows malicious actors to manipulate the sql execution flow by injecting crafted sql fragments through these inputs. This vulnerability exists within the application's data access layer where user-provided sorting criteria are directly concatenated into sql statements, creating an avenue for unauthorized database access and potential data exfiltration.

The technical exploitation of this vulnerability follows a classic sql injection attack pattern where an attacker can manipulate the orderByColumn parameter to inject malicious sql syntax that alters the intended query behavior. When the application processes user input through the SelectListByPage function, the unvalidated orderByColumn and isAsc parameters are directly incorporated into the sql query construction process, bypassing standard sql parameter binding mechanisms. This allows attackers to inject sql commands that can execute arbitrary database operations, potentially leading to complete database compromise, data theft, or unauthorized privilege escalation. The vulnerability is particularly concerning as it operates at the data access layer, meaning that successful exploitation could provide attackers with access to all dictionary data and potentially other related database information. The public availability of exploit code further amplifies the risk, as it removes the barrier to entry for potential attackers and increases the likelihood of widespread exploitation across vulnerable installations.

The operational impact of this vulnerability extends beyond simple data theft to encompass complete system compromise and business disruption. Organizations running affected versions of ruoyi-go applications face significant risk of unauthorized data access, data manipulation, and potential denial of service attacks. The remote exploit capability means that attackers can target vulnerable systems without requiring physical access or prior authentication, making the attack surface extremely broad. Database administrators and security teams must consider that this vulnerability could enable attackers to extract sensitive information from the application's database, modify critical system data, or even escalate privileges to gain administrative access to the underlying database system. The lack of vendor response to early disclosure attempts compounds the issue, leaving affected organizations without official patches or mitigation guidance during the critical period when they need to address the vulnerability.

Organizations should immediately implement multiple layers of defense to mitigate this vulnerability while awaiting official patches or updates. The primary mitigation strategy involves implementing strict input validation and sanitization for all user-provided parameters, particularly those used in sql query construction. The application code should be modified to use proper sql parameter binding or prepared statements instead of direct string concatenation for dynamic query building. Additionally, implementing web application firewalls with sql injection detection capabilities can provide an additional protective layer against exploitation attempts. Network segmentation and access controls should be strengthened to limit exposure of vulnerable applications to untrusted networks. The implementation of principle of least privilege for database connections and regular security audits of sql query patterns can help identify and remediate similar vulnerabilities. Organizations should also consider implementing database activity monitoring and intrusion detection systems to detect potential exploitation attempts and provide early warning of compromise. Compliance with industry standards such as those defined in the CWE catalog for sql injection vulnerabilities and ATT&CK framework techniques for command and control operations can help establish comprehensive defensive strategies against this class of threat.

Responsible

VulDB

Disclosure

08/26/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00320

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!