CVE-2025-13578 – CVE-2025-13578 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-13578?

CVE-2025-13578 has a CVSS score of 7.3 (HIGH). CVE-2025-13578 is an SQL injection vulnerability in code-projects Library System 1.0 that allows attackers to manipulate database queries through the login username parameter. This can lead to unauthorized data access, modification, or authentication bypass. All deployments of Library System 1.0 with the vulnerable login component are affected.

📋 TL;DR

CVE-2025-13578 is an SQL injection vulnerability in code-projects Library System 1.0 that allows attackers to manipulate database queries through the login username parameter. This can lead to unauthorized data access, modification, or authentication bypass. All deployments of Library System 1.0 with the vulnerable login component are affected.

💻 Affected Systems

Products:

code-projects Library System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the default login component are vulnerable. The vulnerability is in the /index.php file's login functionality.

📦 What is this software?

Library System by Code Projects

View all CVEs affecting Library System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential server takeover via SQL injection escalation.

🟠

Likely Case

Unauthorized data access, credential theft, and potential authentication bypass leading to unauthorized system access.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub and vuldb.com. Remote exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for security updates. 2. If no patch available, implement workarounds. 3. Consider migrating to alternative software if vendor support is unavailable.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for the username field

Modify /index.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM users WHERE username = ?'); $stmt->bind_param('s', $username);

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns in login requests

Add WAF rule: Detect and block SQL keywords in username parameter (SELECT, UNION, INSERT, etc.)

🧯 If You Can't Patch

Isolate the Library System behind a reverse proxy with strict input validation
Implement network segmentation to limit database access from the application server

🔍 How to Verify

Check if Vulnerable:

Test the login endpoint with SQL injection payloads in the username parameter: ' OR '1'='1

Check Version:

Check the software version in the application interface or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer work and that prepared statements are implemented in /index.php

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts with SQL keywords in username field
Database query errors containing user input

Network Indicators:

HTTP POST requests to /index.php with SQL injection patterns in parameters
Unusual database connection patterns from application server

SIEM Query:

source="web_logs" AND uri="/index.php" AND (username="*OR*" OR username="*UNION*" OR username="*SELECT*")

📊 Metadata

CVE ID: CVE-2025-13578

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: November 24, 2025

Last Updated: November 26, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/rassec2/dbcve/issues/4 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.333342 Permissions Required,VDB Entry
https://vuldb.com/?id.333342 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.699536 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13578, you might also want to check these: