CVE-2023-25330 Overview
CVE-2023-25330 is a SQL injection vulnerability in MyBatis-Plus versions below 3.5.3.1. The flaw resides in the tenant ID valuer used by the multi-tenant plugin. Remote attackers can execute arbitrary SQL commands by supplying a crafted tenant ID value that is concatenated directly into SQL statements [CWE-89].
The vendor (Baomidou) states the issue can only occur in misconfigured applications and provides documentation on developing applications that avoid SQL injection. A public proof-of-concept demonstrating the tenant plugin injection path is available on GitHub.
Critical Impact
Unauthenticated remote attackers can read, modify, or destroy database contents by injecting SQL through the tenant ID valuer in vulnerable MyBatis-Plus deployments.
Affected Products
- MyBatis-Plus versions prior to 3.5.3.1
- Java applications using the MyBatis-Plus multi-tenant plugin (TenantLineInnerInterceptor)
- Spring Boot applications relying on user-controlled tenant ID resolution
Discovery Timeline
- 2023-04-05 - CVE-2023-25330 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-25330
Vulnerability Analysis
MyBatis-Plus is an enhancement library for the MyBatis Java persistence framework. It provides a multi-tenant plugin that rewrites SQL queries to append a tenant filter clause, typically in the form tenant_id = <value>. The tenant value is produced by a TenantLineHandler implementation that resolves the current tenant ID at runtime.
The vulnerability arises because the tenant ID returned by the valuer is inserted into the rewritten SQL as a literal expression rather than as a bound parameter. When an application sources the tenant ID from an HTTP header, cookie, or other client-controlled input without validation, an attacker can submit a payload that breaks out of the expected expression and appends arbitrary SQL.
This grants the attacker the privileges of the database account used by the application, including data exfiltration, modification, and in some configurations, command execution through database-specific features.
Root Cause
The root cause is unsafe string interpolation of the tenant identifier into generated SQL. The plugin trusts the value returned by getTenantId() and inserts it directly into the WHERE clause. Combined with applications that obtain the tenant ID from request headers without sanitization, this produces a classic injection sink. The vendor position is that callers must validate the value before returning it from TenantLineHandler.getTenantId().
Attack Vector
The attack is performed over the network with no authentication or user interaction. An attacker sends an HTTP request containing a malicious tenant identifier (for example, in a tenant-id header). The vulnerable application invokes the tenant handler, which returns the attacker-controlled string. The plugin then rewrites a benign query into one that contains injected SQL, which the database executes.
The vulnerability mechanism is described in detail in the GitHub MybatisPlus SQL Injection PoC and the Baomidou CVE Reference. No verified exploit code is reproduced here.
Detection Methods for CVE-2023-25330
Indicators of Compromise
- HTTP requests containing SQL metacharacters (single quotes, UNION, SELECT, comment sequences -- or /*) in tenant-related headers or parameters.
- Database query logs showing rewritten WHERE clauses with unexpected operators or subqueries adjacent to tenant_id.
- Anomalous outbound queries from the application database account, particularly against system catalogs such as information_schema.
- Application error logs referencing TenantLineInnerInterceptor with malformed SQL exceptions.
Detection Strategies
- Enable database query logging and alert on queries containing tenant_id followed by patterns inconsistent with a numeric or short alphanumeric literal.
- Deploy a web application firewall rule that inspects tenant headers and parameters for SQL injection signatures.
- Add application-level logging inside the TenantLineHandler implementation to record every resolved tenant ID and its source.
Monitoring Recommendations
- Monitor for spikes in database errors originating from the application service account.
- Track unusual data volume reads against tables protected by the tenant plugin.
- Correlate authentication anomalies with tenant header values that do not match the authenticated user's tenant.
How to Mitigate CVE-2023-25330
Immediate Actions Required
- Upgrade MyBatis-Plus to version 3.5.3.1 or later across all application services.
- Audit every TenantLineHandler implementation and reject tenant IDs that are not strictly numeric or do not match an allowlist.
- Restrict the database account used by the application to least privilege and revoke access to system catalogs where feasible.
- Review web server and application logs for prior requests containing suspicious tenant header values.
Patch Information
Upgrade the mybatis-plus-core and related artifacts to 3.5.3.1 or higher. Refer to the Baomidou CVE Reference for the vendor's guidance on secure tenant handler implementation, including input validation patterns the framework expects callers to apply.
Workarounds
- Validate tenant IDs against a strict regular expression such as ^[0-9]+$ before returning them from getTenantId().
- Resolve tenant IDs from server-side session state or authenticated JWT claims rather than from client-supplied headers.
- Deploy WAF rules that block tenant headers containing SQL keywords, quotes, or comment markers.
# Maven dependency upgrade example
# Update pom.xml to use the patched version
mvn versions:use-dep-version \
-Dincludes=com.baomidou:mybatis-plus-boot-starter \
-DdepVersion=3.5.3.1 \
-DforceVersion=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
