CVE-2025-55476
BaseFortify
Publication date: 2025-09-02
Last updated on: 2025-09-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shaneisrael | fireshare | 1.2.25 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55476 is a time-based blind SQL injection vulnerability in FireShare FileShare 1.2.25. It occurs in the 'sort' parameter of the GET /api/videos/public endpoint, where user input is directly inserted into a SQL ORDER BY clause without proper sanitization. This allows attackers to inject arbitrary SQL subqueries that do not produce direct error messages or data output but enable attackers to infer sensitive information by measuring response delays caused by time-consuming database operations. [3]
How can this vulnerability impact me? :
This vulnerability can allow attackers to extract sensitive information from the database, such as usernames, emails, password hashes, and database schema details. Attackers can also impersonate high-privilege users by reconstructing credentials through time-based inference. This can lead to unauthorized access, data breaches, and compromise of the affected system. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to unauthorized disclosure of sensitive personal data, such as usernames and potentially other user information, which may violate data protection regulations like GDPR and HIPAA. Exploitation could result in data breaches, undermining compliance requirements for protecting personal and sensitive information. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted requests to the endpoint GET /api/videos/public with the sort parameter containing time-based blind SQL injection payloads. For example, injecting payloads that cause conditional delays such as: (SELECT CASE WHEN substr((SELECT username FROM user LIMIT 1 OFFSET 0), 1, 1) = 'a' THEN randomblob(100000000) ELSE 'a' END) and measuring response times to detect delays indicating successful injection. Commands using curl could be: curl -i "http://<target>/api/videos/public?sort=(SELECT CASE WHEN substr((SELECT username FROM user LIMIT 1 OFFSET 0), 1, 1) = 'a' THEN randomblob(100000000) ELSE 'a' END)" Monitoring for increased response times compared to normal requests can indicate the presence of the vulnerability. Additionally, deploying Web Application Firewall (WAF) rules to detect suspicious SQL patterns like 'randomblob(', 'substr(', and 'CASE WHEN' can help detect exploitation attempts. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: - Avoid passing unsanitized user input directly into SQL ORDER BY clauses. - Implement strict whitelisting of allowed sort parameter values and validate inputs before use. - Use parameterized queries or ORM-safe ordering functions to prevent injection. - Deploy Web Application Firewall (WAF) rules to block suspicious SQL injection patterns such as 'randomblob(', 'substr(', and 'CASE WHEN'. - Apply rate limiting to reduce the risk of brute-force data extraction. - Upgrade to FireShare version 1.2.26 or later, which includes a critical security fix addressing this SQL injection vulnerability. [2, 3]