CVE-2025-7950 – CVE-2025-7950 is a critical SQL injection vulne... (How to Fix)

Q: What is the severity of CVE-2025-7950?

CVE-2025-7950 has a CVSS score of 7.3 (HIGH). CVE-2025-7950 is a critical SQL injection vulnerability in code-projects Public Chat Room 1.0 that allows attackers to execute arbitrary SQL commands via the Username parameter in /login.php. This affects all deployments of Public Chat Room 1.0 with the vulnerable login.php file. Attackers can exploit this remotely without authentication.

📋 TL;DR

CVE-2025-7950 is a critical SQL injection vulnerability in code-projects Public Chat Room 1.0 that allows attackers to execute arbitrary SQL commands via the Username parameter in /login.php. This affects all deployments of Public Chat Room 1.0 with the vulnerable login.php file. Attackers can exploit this remotely without authentication.

💻 Affected Systems

Products:

code-projects Public Chat Room

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of Public Chat Room 1.0 with the default /login.php file are vulnerable. No special configuration required.

📦 What is this software?

Public Chat Room by Fabian

View all CVEs affecting Public Chat Room →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution if database functions allow it.

🟠

Likely Case

Database information disclosure, authentication bypass, and potential privilege escalation leading to unauthorized access to chat room data.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - The vulnerability is in a public-facing login page and can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly disclosed on GitHub and vuldb. SQL injection via Username parameter is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add input validation to /login.php to sanitize Username parameter and prevent SQL injection.

Edit /login.php to implement parameterized queries or proper input escaping

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns in login requests.

Configure WAF to detect and block SQL injection patterns in POST parameters

🧯 If You Can't Patch

Isolate the chat room application in a segmented network to limit potential damage
Implement strict network access controls and monitor for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Test /login.php with SQL injection payloads in Username parameter (e.g., ' OR '1'='1). Check if application returns database errors or unexpected behavior.

Check Version:

Check the application version in source code or configuration files, typically in readme or version files.

Verify Fix Applied:

After implementing fixes, test with same SQL injection payloads to confirm they are blocked and no longer cause database errors.

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in application logs
Unusual database queries from login.php
Multiple failed login attempts with SQL patterns

Network Indicators:

HTTP POST requests to /login.php containing SQL keywords (UNION, SELECT, etc.) in parameters

SIEM Query:

source="web_logs" AND uri="/login.php" AND (payload="*UNION*" OR payload="*SELECT*" OR payload="*OR '1'='1*")

📊 Metadata

CVE ID: CVE-2025-7950

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (7.4th percentile)

Published: July 22, 2025

Last Updated: July 29, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/BalanceLee/CVE/issues/5 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.317096 Permissions Required,VDB Entry
https://vuldb.com/?id.317096 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.619313 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7950, you might also want to check these: