CVE-2025-67102
SQL Injection in Jorani alldayoffs Allows Arbitrary Commands
Publication date: 2026-02-17
Last updated on: 2026-04-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jorani | jorani | to 1.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67102 is an authenticated SQL injection vulnerability in Jorani, an open-source leave and overtime management system, affecting versions up to and including v1.0.4.
The vulnerability exists in the alldayoffs feature, specifically in the getAllChildren function of the organization model, where the entity parameter is directly concatenated into an SQL query without proper sanitization or parameterization.
An authenticated attacker can exploit this flaw by injecting arbitrary SQL commands through the entity HTTP GET parameter in the /contracts/calendar/alldayoffs endpoint, potentially manipulating the database.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary SQL commands on the backend database.
- Extract sensitive data from the database.
- Modify or delete database content, potentially disrupting application functionality.
- Cause denial of service by injecting commands that delay or crash the database.
Since the vulnerability is unpatched and the project is archived, affected organizations should consider it permanent and seek alternative solutions or isolate the vulnerable system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending an authenticated HTTP GET request to the vulnerable endpoint and observing the server's response time for signs of SQL injection."}, {'type': 'paragraph', 'content': "A proof-of-concept involves injecting a SQL time delay function via the 'entity' parameter in the /contracts/calendar/alldayoffs route."}, {'type': 'list_item', 'content': 'Use a command like: curl -i -b cookie.txt "http://<jorani-host>/contracts/calendar/alldayoffs?entity=sleep(5);&children=true&start=YYYY-MM-DD&end=YYYY-MM-DD"'}, {'type': 'paragraph', 'content': 'If the server response is delayed by approximately 5 seconds, it indicates the presence of the SQL injection vulnerability.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Since the project maintainer has confirmed the issue but will not provide a fix due to the project's archival status, immediate mitigation steps include isolating or restricting access to the vulnerable Jorani instance."}, {'type': 'list_item', 'content': 'Restrict access to the /contracts/calendar/alldayoffs endpoint to trusted users only.'}, {'type': 'list_item', 'content': 'Implement network-level controls such as firewall rules or VPN access to limit exposure.'}, {'type': 'list_item', 'content': 'Consider migrating to an alternative leave management system that is actively maintained and patched.'}, {'type': 'paragraph', 'content': 'No official patch or fix is available, so these containment and isolation measures are critical to reduce risk.'}] [2]