CVE-2025-8264
BaseFortify
Publication date: 2025-07-29
Last updated on: 2026-04-29
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| z-push | z-push-dev | * |
| z-push | z-push | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8264 is a SQL Injection vulnerability in the IMAP backend of the Z-Push project, specifically affecting versions before 2.7.6. The issue arises because the software uses unparameterized SQL queries when processing the username field during basic authentication. An attacker can manipulate this username field to inject malicious SQL commands, which can then be executed on the linked third-party database. This allows unauthorized access and potential modification or deletion of sensitive data. The vulnerability affects Z-Push installations that use the IMAP backend with the IMAP_FROM_SQL_QUERY option configured. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive data, as well as the ability for an attacker to modify or delete data in the linked third-party database. Since the attack can be performed remotely without any privileges or user interaction, it poses a critical risk to confidentiality, integrity, and availability of data. Exploitation could lead to data breaches, loss of data integrity, and service disruption. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by performing time-based blind SQL injection tests targeting the username field in the Basic Authentication header of Z-Push's IMAP backend. For example, injecting a payload such as `admin'; SELECT pg_sleep(5) --` into the username field and observing a significant delay in server response time (e.g., an increase of about 5 seconds) indicates the presence of the vulnerability. Standard SQL injection attempts on URL parameters, POST data, HTTP headers, and XML payloads are ineffective. Detection requires careful tuning of payloads and timing to confirm the vulnerability without triggering timeouts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include changing the Z-Push IMAP backend configuration to avoid using the vulnerable SQL query option. Specifically, update the configuration file backend/imap/config.php to set `define('IMAP_DEFAULTFROM', '');` to use the default backend or `define('IMAP_DEFAULTFROM', 'ldap');` to use the LDAP backend. Alternatively, upgrade the z-push/z-push-dev package to version 2.7.6 or later, which includes a fix that uses parameterized SQL queries to prevent SQL injection. [3, 1]