CVE-2025-9413 – This SQL injection vulnerability in lostvip-com... (How to Fix)

Q: What is the severity of CVE-2025-9413?

CVE-2025-9413 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in lostvip-com ruoyi-go allows attackers to manipulate database queries through the orderByColumn/isAsc parameters. It affects ruoyi-go versions up to 2.1 and can be exploited remotely to potentially access, modify, or delete database contents. Organizations using vulnerable versions of this software are at risk.

📋 TL;DR

This SQL injection vulnerability in lostvip-com ruoyi-go allows attackers to manipulate database queries through the orderByColumn/isAsc parameters. It affects ruoyi-go versions up to 2.1 and can be exploited remotely to potentially access, modify, or delete database contents. Organizations using vulnerable versions of this software are at risk.

💻 Affected Systems

Products:

lostvip-com ruoyi-go

Versions: up to version 2.1

Operating Systems: All platforms running ruoyi-go

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the SelectListByPage function in modules/system/system_router.go

📦 What is this software?

Ruoyi Go by Lostvip

View all CVEs affecting Ruoyi Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, or deletion; potential privilege escalation to system-level access.

🟠

Likely Case

Unauthorized data access and extraction from the application database.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH - Attack can be initiated remotely without authentication.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit has been published and may be used; manipulation of orderByColumn/isAsc parameters causes SQL injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Consider upgrading to version 2.2 or later if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for orderByColumn and isAsc parameters to prevent SQL injection

Parameterized Queries

all

Modify the SelectListByPage function to use parameterized queries or prepared statements

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection rules
Restrict database user permissions to minimum required access

🔍 How to Verify

Check if Vulnerable:

Check ruoyi-go version; if version ≤ 2.1, examine modules/system/system_router.go for vulnerable SelectListByPage function

Check Version:

Check application version in configuration files or via application interface

Verify Fix Applied:

Test orderByColumn and isAsc parameters with SQL injection payloads; verify no database manipulation occurs

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts or parameter manipulation attempts

Network Indicators:

SQL injection patterns in HTTP requests to system_router endpoints

SIEM Query:

web_requests WHERE url CONTAINS 'system_router' AND (params CONTAINS 'orderByColumn' OR params CONTAINS 'isAsc') AND params MATCHES '.*[;'"].*'

📊 Metadata

CVE ID: CVE-2025-9413

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (9.7th percentile)

Published: August 25, 2025

Last Updated: October 9, 2025

🔗 References

https://github.com/on-theway/cve/issues/8 Broken Link
https://github.com/on-theway/cve/issues/9 Broken Link
https://vuldb.com/?ctiid.321254 Permissions Required,VDB Entry
https://vuldb.com/?id.321254 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.633730 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.633731 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9413, you might also want to check these: