CVE-2025-22954
📋 TL;DR
This SQL injection vulnerability in Koha library management software allows attackers to execute arbitrary SQL commands via the supplierid or serialid parameters in the lateissues-export.pl endpoint. All Koha installations before version 24.11.02 are affected, potentially compromising database integrity and confidentiality.
💻 Affected Systems
- Koha
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, modification, or deletion; potential privilege escalation to execute operating system commands via database functions.
Likely Case
Unauthorized data access and extraction from the Koha database, potentially exposing patron information, financial data, or administrative credentials.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection, though the vulnerability would still exist in the codebase.
🎯 Exploit Status
SQL injection via web parameters is a well-understood attack vector; exploitation would require access to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.11.02
Vendor Advisory: https://koha-community.org/koha-24-11-02-released/
Restart Required: No
Instructions:
1. Backup your Koha installation and database. 2. Update to Koha version 24.11.02 or later. 3. Verify the update completed successfully. 4. Test serials functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for supplierid and serialid parameters to only accept expected data formats
Access Restriction
allRestrict access to /serials/lateissues-export.pl endpoint to authorized users only
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the vulnerable parameters
- Disable or restrict the serials module functionality if not required for operations
🔍 How to Verify
Check if Vulnerable:
Check Koha version; if earlier than 24.11.02, the system is vulnerable. Review C4/Serials.pm for the GetLateOrMissingIssues function.Check Version:
koha-versionVerify Fix Applied:
Verify Koha version is 24.11.02 or later and test that SQL injection attempts on supplierid/serialid parameters are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed parameter validation attempts
- Unexpected access to lateissues-export.pl
Network Indicators:
- HTTP requests with SQL injection patterns in supplierid or serialid parameters
- Unusual database connection patterns from web server
SIEM Query:
web.url:*lateissues-export.pl* AND (web.param:*supplierid* OR web.param:*serialid*) AND (web.param:*' OR * OR web.param:*;* OR web.param:*--*)