Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-15585 is an authenticated SQL injection vulnerability found in FileFlows versions before 25.05.2, specifically in the library-file search function.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the application constructs SQL queries by concatenating user input with minimal sanitization, allowing malicious input to manipulate the SQL commands executed against the database.'}, {'type': 'paragraph', 'content': "This flaw is exploitable only when the system uses MySQL as the underlying database, due to MySQL's support for C-style backslash escaping and multiple query execution."}] [2]

Useful 0 Not Useful 0

Impact Analysis

Successful exploitation of this vulnerability can lead to privilege escalation or data exfiltration.

An attacker could inject malicious SQL commands to escalate their privileges, for example by updating user roles to admin, or extract sensitive data from the database.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability is an authenticated SQL injection in the FileFlows library-file search function, specifically in the POST /api/library-file/search endpoint. Detection involves monitoring or testing this API endpoint for SQL injection attempts.'}, {'type': 'paragraph', 'content': 'Since the vulnerability arises from unsafe SQL query construction using user input in the LibraryFileSearchModel filter, detection can be attempted by sending crafted payloads to the search API that include SQL injection patterns, especially targeting MySQL-specific escape sequences like backslashes (\\) and comments (/**/).'}, {'type': 'paragraph', 'content': 'Example detection commands could include using curl or similar tools to send POST requests with suspicious payloads in the LibraryName parameter, such as:'}, {'type': 'list_item', 'content': 'curl -X POST https://<fileflows-server>/api/library-file/search -H \'Content-Type: application/json\' -d \'{"LibraryName": "test\\\' OR 1=1 -- "}\''}, {'type': 'list_item', 'content': 'curl -X POST https://<fileflows-server>/api/library-file/search -H \'Content-Type: application/json\' -d \'{"LibraryName": "test\\\'; DROP TABLE users; -- "}\''}, {'type': 'paragraph', 'content': 'Successful exploitation or error messages indicating SQL syntax errors or unexpected behavior may confirm the presence of the vulnerability.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves upgrading FileFlows to a version where the vulnerability is fixed. The fix was verified and released in version 25.05 under FF-2238.

If upgrading immediately is not possible, restrict access to the vulnerable API endpoint to trusted users only, as exploitation requires authentication.

Additionally, if your system uses MySQL as the underlying database, consider monitoring and blocking suspicious input patterns that could exploit SQL injection, such as backslash escapes and comment sequences.

Longer term, ensure that the application uses parameterized queries or ORM methods that avoid direct string concatenation with user input.

Useful 0 Not Useful 0