CVE-2025-3382
📋 TL;DR
This critical SQL injection vulnerability in joey-zhou's xiaozhi-esp32-server-java allows remote attackers to execute arbitrary SQL commands via the 'state' parameter in the /api/user/update endpoint. Attackers can potentially read, modify, or delete database contents, including sensitive user data. All users running affected versions of this software are vulnerable.
💻 Affected Systems
- joey-zhou xiaozhi-esp32-server-java
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.
Likely Case
Unauthorized data access and modification, credential theft, and potential privilege escalation.
If Mitigated
Limited impact with proper input validation, parameterized queries, and network segmentation in place.
🎯 Exploit Status
Exploit details publicly disclosed on GitHub. Simple SQL injection via parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit after a14fe8115842ee42ab5c7a51706b8a85db5200b7
Vendor Advisory: Not available - community project
Restart Required: Yes
Instructions:
1. Pull latest code from repository. 2. Verify commit is newer than a14fe8115842ee42ab5c7a51706b8a85db5200b7. 3. Rebuild and redeploy application. 4. Restart service.
🔧 Temporary Workarounds
WAF Rule for SQL Injection
allImplement web application firewall rules to block SQL injection patterns in the state parameter.
Depends on specific WAF platform
Input Validation Filter
allAdd server-side validation to reject suspicious characters in the state parameter.
Implement regex filter: ^[a-zA-Z0-9_\-]+$ for state parameter
🧯 If You Can't Patch
- Block external access to /api/user/update endpoint at network firewall
- Implement database user with minimal privileges (read-only if possible)
🔍 How to Verify
Check if Vulnerable:
Check git commit hash: if at or before a14fe8115842ee42ab5c7a51706b8a85db5200b7, system is vulnerable.Check Version:
git log --oneline -1Verify Fix Applied:
Verify current commit is newer than a14fe8115842ee42ab5c7a51706b8a85db5200b7 and test SQL injection attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed update attempts with SQL syntax in parameters
- Database queries from unexpected sources
Network Indicators:
- HTTP POST requests to /api/user/update with SQL keywords in state parameter
- Unusual database connection patterns
SIEM Query:
source="app.log" AND "state=" AND ("SELECT" OR "UNION" OR "INSERT" OR "DELETE")