CVE-2025-54379 – CVE-2025-54379 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2025-54379?

CVE-2025-54379 has a CVSS score of 9.8 (CRITICAL). CVE-2025-54379 is a critical SQL injection vulnerability in LF Edge eKuiper's getLast API that allows unauthenticated remote attackers to execute arbitrary SQL commands on the SQLite database. This affects all eKuiper deployments before version 2.2.1, potentially compromising IoT edge devices running vulnerable versions.

📋 TL;DR

CVE-2025-54379 is a critical SQL injection vulnerability in LF Edge eKuiper's getLast API that allows unauthenticated remote attackers to execute arbitrary SQL commands on the SQLite database. This affects all eKuiper deployments before version 2.2.1, potentially compromising IoT edge devices running vulnerable versions.

💻 Affected Systems

Products:

LF Edge eKuiper

Versions: All versions before 2.2.1

Operating Systems: All platforms running eKuiper

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with the getLast API accessible are vulnerable. The vulnerability exists in the core API functionality.

📦 What is this software?

Ekuiper by Lfedge

View all CVEs affecting Ekuiper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, corruption, or deletion, potentially enabling full control over affected edge devices and lateral movement in IoT networks.

🟠

Likely Case

Unauthenticated attackers exploiting exposed API endpoints to extract sensitive IoT data, manipulate stream processing rules, or disrupt edge analytics operations.

🟢

If Mitigated

Limited impact if API endpoints are not internet-facing and network segmentation prevents unauthorized access to eKuiper services.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and involves simple SQL injection techniques, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.1

Vendor Advisory: https://github.com/lf-edge/ekuiper/security/advisories/GHSA-526j-mv3p-f4vv

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Stop eKuiper service. 3. Upgrade to version 2.2.1 using package manager or manual installation. 4. Restart eKuiper service. 5. Verify functionality and monitor logs.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to eKuiper API endpoints using firewall rules or network segmentation.

iptables -A INPUT -p tcp --dport 9081 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 9081 -j DROP

API Endpoint Disablement

all

Disable or restrict access to the vulnerable getLast API endpoint if not required for operations.

🧯 If You Can't Patch

Implement strict network segmentation to isolate eKuiper instances from untrusted networks
Deploy web application firewall (WAF) rules to detect and block SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Check eKuiper version using the REST API or configuration files. Versions below 2.2.1 are vulnerable.

Check Version:

curl -X GET http://localhost:9081/version || check ekuiper --version

Verify Fix Applied:

Verify version is 2.2.1 or higher and test API functionality to ensure proper input validation.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed API requests with SQL syntax
Unexpected database access patterns

Network Indicators:

SQL injection patterns in HTTP requests to /api/getLast endpoint
Unusual outbound database connections

SIEM Query:

source="ekuiper.logs" AND ("SQL" OR "injection" OR "malformed" OR "unexpected")

📊 Metadata

CVE ID: CVE-2025-54379

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.12% exploit probability (31.6th percentile)

Published: July 24, 2025

Last Updated: October 10, 2025

🔗 References

https://github.com/lf-edge/ekuiper/commit/72c4918744934deebf04e324ae66933ec089ebd3 Patch
https://github.com/lf-edge/ekuiper/security/advisories/GHSA-526j-mv3p-f4vv Exploit,Vendor Advisory
https://github.com/lf-edge/ekuiper/security/advisories/GHSA-526j-mv3p-f4vv Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54379, you might also want to check these: