CVE-2025-57631
BaseFortify
Publication date: 2025-09-16
Last updated on: 2025-09-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tduckcloud | tduck | 5.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-57631 is a SQL Injection vulnerability in TDuckCloud version 5.1 that affects the API endpoint `/user/form/data/download/file`. An attacker can inject malicious SQL code via the `formKey` parameter in a JSON POST request. This injection can cause the backend SQL query to fail and potentially allows the attacker to execute arbitrary SQL commands, such as retrieving database information or compromising the backend database. The vulnerability is triggered when a user creates a new form, adds a file upload module, and attempts to download an attachment, which leads to error messages indicating SQL query failure. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to execute arbitrary SQL commands on the backend database of TDuckCloud v5.1. This can lead to unauthorized data disclosure, modification, or deletion, potentially compromising sensitive information and the integrity of the system. It may also allow further exploitation or takeover of the backend infrastructure. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a crafted POST request to the endpoint `/user/form/data/download/file` with a JSON body containing a malicious `formKey` parameter designed to trigger an SQL error. For example, using curl, you can send a request like: curl -X POST http://<target-ip>:8999/user/form/data/download/file \ -H "Content-Type: application/json" \ -H "Authorization: Bearer <JWT_token>" \ -d '{"formKey":"ksmWeN6 'and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '","otherParam1":null,"otherParam2":null}' If the response contains error messages such as "Sorry, something went wrong" or "There was an error while loading," it indicates the backend SQL query failed due to injection, confirming the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint `/user/form/data/download/file` to trusted users only, applying input validation and sanitization on the `formKey` parameter to prevent SQL injection, and monitoring for suspicious requests targeting this endpoint. Additionally, if possible, update or patch the TDuckCloud platform to a version where this vulnerability is fixed. Until a patch is available, consider disabling the file upload module or the affected functionality to prevent exploitation. [1, 2]