CVE-2025-28056
📋 TL;DR
CVE-2025-28056 is a critical SQL injection vulnerability in rebuild's admin-cli/exec component that allows attackers to execute arbitrary SQL commands. This affects rebuild v3.9.0 through v3.9.3 installations with admin access. Successful exploitation could lead to complete database compromise.
💻 Affected Systems
- rebuild
📦 What is this software?
Rebuild by Ruifang Tech
⚠️ Risk & Real-World Impact
Worst Case
Complete database takeover including data theft, data destruction, privilege escalation to system-level access, and potential lateral movement to other systems.
Likely Case
Database information disclosure, data manipulation, and potential administrative account compromise leading to further system exploitation.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, with database permissions restricted to minimum necessary privileges.
🎯 Exploit Status
Exploitation requires admin access but is straightforward once access is obtained. The GitHub issue shows technical details of the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.9.4 or later
Vendor Advisory: https://github.com/getrebuild/rebuild/issues/866
Restart Required: Yes
Instructions:
1. Backup your database and configuration. 2. Update rebuild to version 3.9.4 or later. 3. Restart the rebuild service. 4. Verify the fix by checking the version and testing the vulnerable endpoint.
🔧 Temporary Workarounds
Disable admin-cli/exec endpoint
allTemporarily disable or restrict access to the vulnerable /admin/admin-cli/exec component
# Configure web server to block access to /admin/admin-cli/exec
# Example for nginx: location /admin/admin-cli/exec { deny all; }
# Example for Apache: <Location /admin/admin-cli/exec> Require all denied </Location>
Implement WAF rules
allAdd SQL injection detection and blocking rules to web application firewall
# Example ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
# Configure WAF to block suspicious SQL patterns in /admin/admin-cli/exec requests
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all admin-cli/exec functionality
- Restrict database user permissions to minimum required privileges and implement database-level access controls
🔍 How to Verify
Check if Vulnerable:
Check if rebuild version is between 3.9.0 and 3.9.3 inclusive, and verify the /admin/admin-cli/exec endpoint exists and accepts SQL commands.Check Version:
Check rebuild configuration files or application interface for version information, typically in package.json or application properties.Verify Fix Applied:
After updating to v3.9.4+, verify the version and test that SQL injection attempts on /admin/admin-cli/exec are properly sanitized or rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- Multiple failed login attempts followed by admin-cli/exec access
- Database error messages containing SQL syntax in web logs
Network Indicators:
- POST requests to /admin/admin-cli/exec containing SQL keywords (SELECT, UNION, INSERT, etc.)
- Unusual database connection patterns from application server
SIEM Query:
source="web_logs" AND uri="/admin/admin-cli/exec" AND (body CONTAINS "SELECT" OR body CONTAINS "UNION" OR body CONTAINS "INSERT" OR body CONTAINS "DELETE")