CVE-2025-51825
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-22

Last updated on: 2025-10-01

Assigner: MITRE

Description
JeecgBoot versions from 3.4.3 up to 3.8.0 were found to contain a SQL injection vulnerability in the /jeecg-boot/online/cgreport/head/parseSql endpoint, which allows bypassing SQL blacklist restrictions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-22
Last Modified
2025-10-01
Generated
2026-06-16
AI Q&A
2025-08-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-51825
EUVD
EUVD-2025-25520
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
guojusoft jeecgboot From 3.4.3 (inc) to 3.8.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-51825 is a SQL injection vulnerability in JeecgBoot versions 3.4.3 to 3.8.0, specifically in the /jeecg-boot/online/cgreport/head/parseSql endpoint. The vulnerability arises because the method responsible for checking SQL queries against a blacklist improperly handles subqueries. When a maliciously crafted subquery is sent, it triggers an exception that causes the blacklist check to be bypassed, allowing the attacker to execute arbitrary SQL commands through the report interface. [1, 2]

Impact Analysis

This vulnerability allows attackers to bypass SQL injection blacklist restrictions and execute arbitrary SQL queries on the affected system. This can lead to unauthorized data access, data manipulation, or data leakage through the online report interface. Attackers can create reports with malicious SQL, retrieve sensitive database information, and potentially compromise the integrity and confidentiality of the database. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the /jeecg-boot/online/cgreport/head/parseSql endpoint with crafted SQL queries that include subqueries designed to bypass the blacklist. For example, sending a GET request with the parameter sql=select schema_name from (information_schema.schemata) can be used to check if the blacklist is bypassed. A command using curl might be: curl -G 'http://<target>/jeecg-boot/online/cgreport/head/parseSql' --data-urlencode "sql=select schema_name from (information_schema.schemata)". If this request succeeds without triggering a blacklist warning, the system is vulnerable. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /jeecg-boot/online/cgreport/head/parseSql endpoint to trusted users only, applying input validation or filtering at the web application firewall level to block suspicious subquery patterns, and monitoring logs for unusual SQL query patterns targeting this endpoint. Additionally, updating JeecgBoot to a version later than 3.8.0 where this vulnerability is fixed is recommended once a patch is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-51825. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart