CVE-2025-2655 – This SQL injection vulnerability in SourceCodes... (How to Fix)

Q: What is the severity of CVE-2025-2655?

CVE-2025-2655 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in SourceCodester AC Repair and Services System 1.0 allows attackers to manipulate database queries through the ID parameter in user management functions. Attackers can potentially read, modify, or delete database contents, including sensitive user data. Any organization using this specific software version is affected.

📋 TL;DR

This SQL injection vulnerability in SourceCodester AC Repair and Services System 1.0 allows attackers to manipulate database queries through the ID parameter in user management functions. Attackers can potentially read, modify, or delete database contents, including sensitive user data. Any organization using this specific software version is affected.

💻 Affected Systems

Products:

SourceCodester AC Repair and Services System

Versions: 1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the save_users and delete_users functions in /classes/Users.php

📦 What is this software?

Ac Repair And Services System by Oretnom23

View all CVEs affecting Ac Repair And Services System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive user data, potential privilege escalation, and data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit details are publicly available on GitHub. Attack requires access to user management functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries and input validation in affected PHP files.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add proper input validation and parameterized queries to the affected Users.php file

Modify /classes/Users.php to use prepared statements with PDO or mysqli

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

🧯 If You Can't Patch

Isolate the system from internet access
Implement strict network segmentation and access controls
Enable detailed SQL query logging and monitoring

🔍 How to Verify

Check if Vulnerable:

Review /classes/Users.php for lack of parameterized queries in save_users and delete_users functions

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Test user management functions with SQL injection payloads to ensure they're rejected

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by user management actions

Network Indicators:

SQL injection patterns in HTTP requests to user management endpoints

SIEM Query:

source="web_logs" AND (url="*save_users*" OR url="*delete_users*") AND (query="*' OR *" OR query="*;--*")

📊 Metadata

CVE ID: CVE-2025-2655

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.12% exploit probability (30.4th percentile)

Published: March 23, 2025

Last Updated: November 22, 2025

🔗 References

https://github.com/Colorado-all/cve/blob/main/AC%20Repair%20and%20Services%20System%20using/SQL-8.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.300670 Permissions Required,VDB Entry
https://vuldb.com/?id.300670 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.520017 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.696635
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2655, you might also want to check these: