CVE-2025-61141
📋 TL;DR
CVE-2025-61141 allows remote command injection in sqls-server/sqls version 0.2.28 through the config command. Attackers can execute arbitrary commands by manipulating the EDITOR environment variable when the openEditor function passes unsanitized input to sh -c. This affects users running the vulnerable sqls version with config command access.
💻 Affected Systems
- sqls-server/sqls
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with arbitrary command execution as the sqls process user, potentially leading to data theft, privilege escalation, or complete system takeover.
Likely Case
Limited command execution within the sqls user context, potentially accessing sensitive database information or establishing persistence.
If Mitigated
No impact if proper input validation and environment variable sanitization are implemented.
🎯 Exploit Status
Exploitation requires access to sqls service and ability to set EDITOR environment variable. Public proof-of-concept demonstrates command injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.2.29 or later
Vendor Advisory: https://github.com/sqls-server/sqls/security/advisories
Restart Required: Yes
Instructions:
1. Stop sqls service. 2. Update to version 0.2.29 or later using package manager or manual installation. 3. Restart sqls service. 4. Verify the fix by checking version.
🔧 Temporary Workarounds
Restrict EDITOR Environment Variable
linuxSet EDITOR to a safe, non-shell editor or restrict its modification
export EDITOR='vim'
unset EDITOR
Disable Config Command
allRemove or restrict access to the vulnerable config command if not needed
# Modify sqls configuration to disable config command
🧯 If You Can't Patch
- Implement strict network access controls to limit sqls service exposure
- Monitor and audit EDITOR environment variable changes and shell command execution
🔍 How to Verify
Check if Vulnerable:
Check if sqls version is 0.2.28: run 'sqls --version' or check package managerCheck Version:
sqls --versionVerify Fix Applied:
Verify version is 0.2.29 or later and test config command with malicious EDITOR values📡 Detection & Monitoring
Log Indicators:
- Unusual shell commands executed from sqls process
- EDITOR environment variable containing shell metacharacters
Network Indicators:
- Unexpected outbound connections from sqls process
SIEM Query:
process.name='sqls' AND cmdline CONTAINS 'sh -c'