CVE-2025-27617
📋 TL;DR
This SQL injection vulnerability in Pimcore allows authenticated users to craft malicious filter strings that can execute arbitrary SQL commands. The vulnerability affects all Pimcore installations prior to version 11.5.4 where users have authenticated access to the platform.
💻 Affected Systems
- Pimcore
📦 What is this software?
Pimcore by Pimcore
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, and potential remote code execution through database functions.
Likely Case
Unauthorized data access, data exfiltration, and potential privilege escalation within the application.
If Mitigated
Limited impact due to proper input validation and parameterized queries preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of Pimcore's filter string syntax. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.5.4
Vendor Advisory: https://github.com/pimcore/pimcore/security/advisories/GHSA-qjpx-5m2p-5pgh
Restart Required: No
Instructions:
1. Backup your Pimcore instance and database. 2. Update Pimcore to version 11.5.4 or later using composer: 'composer require pimcore/pimcore:^11.5.4'. 3. Clear cache: 'bin/console cache:clear'. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement additional input validation for filter strings in custom code to reject suspicious patterns.
Database User Privilege Reduction
allLimit database user permissions to only necessary operations to reduce impact if exploited.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns in filter parameters
- Restrict authenticated user access to only trusted users and implement strict access controls
🔍 How to Verify
Check if Vulnerable:
Check Pimcore version: 'composer show pimcore/pimcore | grep version'. If version is below 11.5.4, the system is vulnerable.Check Version:
composer show pimcore/pimcore | grep versionVerify Fix Applied:
After updating, verify version is 11.5.4 or higher: 'composer show pimcore/pimcore | grep version'. Test filter functionality to ensure it works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries from Pimcore application logs
- Multiple failed filter operations with unusual characters
- Database error logs showing SQL syntax errors from Pimcore
Network Indicators:
- Unusual database traffic patterns from application servers
- Large data transfers from database to application outside normal patterns
SIEM Query:
source="pimcore.log" AND ("SQL" OR "database error" OR "filter") AND ("' OR " OR "--" OR ";" OR "UNION")🔗 References
- https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Extension/RelationFilterConditionParser.php#L29-L47
- https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Multiselect.php#L332-L347
- https://github.com/pimcore/pimcore/commit/19a8520895484e68fd254773e32476565d91deea
- https://github.com/pimcore/pimcore/security/advisories/GHSA-qjpx-5m2p-5pgh
