CVE-2025-9148
BaseFortify
Publication date: 2025-08-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codephiliax | chat2db | 0.3.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9148 is a remote SQL injection vulnerability in CodePhiliaX Chat2DB versions up to 0.3.7. It occurs in the JDBC Connection Handler component, specifically in the DataSourceController.java file. The vulnerability arises because the application improperly handles user-supplied input used to construct SQL commands, allowing an attacker to manipulate SQL queries remotely. This can lead to arbitrary code execution on the affected system by supplying specially crafted URLs through the /datasource/pre_connect interface. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute arbitrary SQL commands on the affected system, potentially compromising the confidentiality, integrity, and availability of the data and system. It may lead to unauthorized data access, data modification, or disruption of service. Since the exploit is publicly available and the vendor has not provided a fix, the risk of exploitation is significant. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for exploitation attempts targeting the /datasource/pre_connect interface with specially crafted URLs that attempt SQL injection or arbitrary code execution. Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to look for unusual SQL syntax or suspicious URL parameters in requests to this endpoint. Specific commands are not provided in the resources, but general approaches include using tools like curl or wget to test the endpoint with crafted payloads, or employing SQL injection detection tools such as sqlmap against the /datasource/pre_connect interface. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected CodePhiliaX Chat2DB component with an alternative product, as no official fixes or countermeasures have been published by the vendor. Additionally, restricting access to the vulnerable /datasource/pre_connect interface via network controls or firewall rules, and deploying web application firewalls to block suspicious SQL injection attempts can help reduce risk. Monitoring for exploitation attempts and applying strict input validation on the affected interface, if possible, are also recommended. [2]