CVE-2025-21628
📋 TL;DR
This SQL injection vulnerability in Chatwoot allows authenticated users to execute arbitrary SQL queries through conversation and contact filter endpoints. Attackers can bypass intended filters and potentially access, modify, or delete database content. All Chatwoot instances running versions before 3.16.0 with authenticated users are affected.
💻 Affected Systems
- Chatwoot
📦 What is this software?
Chatwoot by Chatwoot
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, data destruction, privilege escalation, and potential remote code execution via database functions.
Likely Case
Unauthorized data access, data manipulation, and potential privilege escalation within the Chatwoot application.
If Mitigated
Limited impact with proper input validation and parameterized queries, but still represents a serious authentication bypass risk.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in filter endpoints that accept unsanitized query_operator parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.16.0
Vendor Advisory: https://github.com/chatwoot/chatwoot/security/advisories/GHSA-g8f9-hh83-rcq9
Restart Required: Yes
Instructions:
1. Backup your Chatwoot database and configuration
2. Update to Chatwoot version 3.16.0 or later
3. Follow Chatwoot's upgrade documentation for your deployment method
4. Restart the Chatwoot application services
🔧 Temporary Workarounds
Input Validation Filter
allImplement middleware to validate and sanitize query_operator parameters before they reach vulnerable endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Chatwoot instances from sensitive systems
- Enable detailed SQL query logging and monitor for unusual filter patterns or tautological WHERE clauses
🔍 How to Verify
Check if Vulnerable:
Check if Chatwoot version is below 3.16.0. Review application logs for unusual filter queries containing SQL injection patterns.Check Version:
For Docker: docker exec chatwoot_web bundle exec rails -v | grep Chatwoot; For manual install: cd /path/to/chatwoot && bundle exec rails -v | grep ChatwootVerify Fix Applied:
Verify Chatwoot version is 3.16.0 or higher. Test filter endpoints with malicious query_operator values to confirm they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual WHERE clauses in filter queries
- SQL syntax errors in application logs
- Multiple filter requests with varying query_operator values
- Requests to conversation/contact filter endpoints with complex parameters
Network Indicators:
- Unusual database connection patterns from Chatwoot application
- Increased database query volume from Chatwoot
SIEM Query:
source="chatwoot_logs" AND ("query_operator" OR "WHERE") AND ("OR 1=1" OR "' OR '" OR "--" OR ";")