CVE-2025-54790 – This SQL injection vulnerability in the HumHub ... (How to Fix)

Q: What is the severity of CVE-2025-54790?

CVE-2025-54790 has a CVSS score of 6.5 (MEDIUM). This SQL injection vulnerability in the HumHub Files module allows attackers to execute arbitrary SQL queries without direct output, potentially accessing unauthorized data. It affects all users of HumHub with the Files module installed. The vulnerability exists due to insufficient input validation in backend SQL queries.

📋 TL;DR

This SQL injection vulnerability in the HumHub Files module allows attackers to execute arbitrary SQL queries without direct output, potentially accessing unauthorized data. It affects all users of HumHub with the Files module installed. The vulnerability exists due to insufficient input validation in backend SQL queries.

💻 Affected Systems

Products:

HumHub Files module

Versions: 0.16.9 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects HumHub installations with the Files module enabled. The vulnerability is in the module itself, not the core HumHub platform.

📦 What is this software?

Files by Humhub

View all CVEs affecting Files →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including user credentials, private files metadata, and sensitive configuration data could be extracted.

🟠

Likely Case

Unauthorized access to file metadata, user information, and potentially some sensitive data stored in the database.

🟢

If Mitigated

Limited data exposure with proper input validation and database permissions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of the application's SQL structure and likely some level of access to the Files module functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.16.10

Vendor Advisory: https://github.com/humhub/cfiles/security/advisories/GHSA-rfvq-g9rm-pgqj

Restart Required: No

Instructions:

1. Backup your HumHub installation and database. 2. Update the Files module to version 0.16.10 via HumHub Marketplace or manual installation. 3. Verify the update was successful by checking the module version in the admin panel.

🔧 Temporary Workarounds

Disable Files Module

all

Temporarily disable the vulnerable Files module until patching is possible

Navigate to Administration -> Modules -> Files -> Disable

🧯 If You Can't Patch

Implement strict input validation and parameterized queries at the application level
Restrict database user permissions to minimum required access

🔍 How to Verify

Check if Vulnerable:

Check the Files module version in HumHub admin panel under Administration -> Modules

Check Version:

Check HumHub admin panel or inspect the module's composer.json file

Verify Fix Applied:

Confirm Files module version shows 0.16.10 or higher in the admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns in database logs
Multiple failed authentication attempts followed by file module access

Network Indicators:

Unusual POST requests to Files module endpoints with SQL-like parameters

SIEM Query:

source="humhub_logs" AND (message="*SQL*" OR message="*database*" OR message="*query*")

📊 Metadata

CVE ID: CVE-2025-54790

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.05% exploit probability (16.5th percentile)

Published: August 2, 2025

Last Updated: September 12, 2025

🔗 References

https://github.com/humhub/cfiles/pull/252 Issue Tracking
https://github.com/humhub/cfiles/releases/tag/v0.16.10 Release Notes
https://github.com/humhub/cfiles/security/advisories/GHSA-rfvq-g9rm-pgqj Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54790, you might also want to check these: