CVE-2025-9413 in ruoyi-go
Summary
by MITRE • 08/26/2025
A flaw has been found in lostvip-com ruoyi-go up to 2.1. This impacts the function SelectListByPage of the file modules/system/system_router.go. This manipulation of the argument orderByColumn/isAsc causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/10/2025
The vulnerability identified as CVE-2025-9413 represents a critical sql injection flaw within the lostvip-com ruoyi-go framework version 2.1 and earlier. This vulnerability specifically affects the SelectListByPage function located in the modules/system/system_router.go file, which serves as a core component for data retrieval operations within the application's system module. The flaw stems from inadequate input validation and sanitization of user-supplied parameters that are directly incorporated into sql query construction without proper escaping or parameterization mechanisms.
The technical exploitation occurs through manipulation of the orderByColumn and isAsc arguments within the function call, where attacker-controlled data flows directly into the sql statement execution context. This creates a condition where malicious users can inject arbitrary sql commands by crafting specific input values for these parameters, effectively bypassing normal authorization checks and potentially gaining unauthorized access to sensitive data. The vulnerability is particularly dangerous because it allows remote exploitation without requiring authentication, as indicated by the disclosure that the exploit has been published and is actively available. The attack vector leverages the application's legitimate data sorting functionality to execute malicious sql payloads that can perform data exfiltration, modification, or deletion operations.
The operational impact of this vulnerability extends beyond simple data theft, as it can enable attackers to escalate privileges within the application's database layer and potentially compromise the entire backend infrastructure. Given that the vendor failed to respond to early disclosure attempts, organizations utilizing affected versions of ruoyi-go remain exposed to active exploitation attempts. This vulnerability aligns with CWE-89 sql injection weakness classification and maps directly to attack techniques described in the ATT&CK framework under T1071.004 Application Layer Protocol and T1566.001 Phishing. The lack of vendor response compounds the risk, as no official patches or mitigation guidance exists, leaving users vulnerable to coordinated attacks.
Organizations should immediately implement network-level mitigations including firewall rules that restrict access to affected endpoints and deploy intrusion detection systems to monitor for exploitation attempts. The most effective remediation involves implementing proper input validation and parameterized query construction for all user-supplied sorting parameters, ensuring that orderByColumn and isAsc values are strictly validated against predefined whitelists of allowed columns and sort directions. Additionally, organizations should consider implementing web application firewalls and conducting comprehensive security assessments of all applications using the affected framework version. The vulnerability demonstrates the critical importance of input sanitization in database interaction functions and highlights the necessity of maintaining up-to-date security patches for all application components.