CVE-2025-0405 – CVE-2025-0405 is a critical SQL injection vulne... (How to Fix)

Q: What is the severity of CVE-2025-0405?

CVE-2025-0405 has a CVSS score of 6.3 (MEDIUM). CVE-2025-0405 is a critical SQL injection vulnerability in liujianview gymxmjpa 1.0 that allows remote attackers to execute arbitrary SQL commands via the goodsName parameter in GoodsController.java. This affects all systems running the vulnerable version of this software, potentially leading to data theft, modification, or deletion.

📋 TL;DR

CVE-2025-0405 is a critical SQL injection vulnerability in liujianview gymxmjpa 1.0 that allows remote attackers to execute arbitrary SQL commands via the goodsName parameter in GoodsController.java. This affects all systems running the vulnerable version of this software, potentially leading to data theft, modification, or deletion.

💻 Affected Systems

Products:

liujianview gymxmjpa

Versions: 1.0

Operating Systems: All platforms running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: Any deployment using the vulnerable GoodsController.java file is affected regardless of configuration.

📦 What is this software?

Gymxmjpa by Liujianview

View all CVEs affecting Gymxmjpa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data exfiltration, modification, deletion, or potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized access to sensitive data in the database, including user information, transaction records, or system configuration.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access, reducing exposure compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit has been publicly disclosed and requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries in GoodsController.java to sanitize goodsName input before SQL execution.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for the goodsName parameter to prevent SQL injection.

Modify src/main/java/com/liujian/gymxmjpa/controller/GoodsController.java to use PreparedStatement with parameterized queries

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious requests.

🧯 If You Can't Patch

Isolate the affected system from the internet and restrict network access to trusted IPs only.
Implement database access controls to limit the impact of successful exploitation.

🔍 How to Verify

Check if Vulnerable:

Check if the application uses gymxmjpa version 1.0 and examine GoodsController.java for direct concatenation of goodsName parameter in SQL queries.

Check Version:

Check the application's pom.xml or build configuration for gymxmjpa version information.

Verify Fix Applied:

Verify that GoodsController.java uses PreparedStatement with parameterized queries instead of string concatenation for SQL execution.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed login attempts or unusual query patterns

Network Indicators:

HTTP requests containing SQL keywords in goodsName parameter
Unusual database query patterns from application server

SIEM Query:

source="application.logs" AND ("SQL syntax" OR "goodsName" AND (SELECT OR UNION OR DROP))

📊 Metadata

CVE ID: CVE-2025-0405

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.11% exploit probability (28.8th percentile)

Published: January 13, 2025

Last Updated: May 5, 2025

🔗 References

https://github.com/liujianview/gymxmjpa/issues/3 Exploit,Third Party Advisory
https://github.com/liujianview/gymxmjpa/issues/3#issue-2765770918 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.291281 Permissions Required,VDB Entry
https://vuldb.com/?id.291281 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.473411 Third Party Advisory,VDB Entry
https://github.com/liujianview/gymxmjpa/issues/3 Exploit,Third Party Advisory
https://github.com/liujianview/gymxmjpa/issues/3#issue-2765770918 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0405, you might also want to check these: