CVE-2025-0168 Overview
CVE-2025-0168 is a SQL injection vulnerability affecting code-projects Job Recruitment 1.0. The flaw resides in the /_parse/_feedback_system.php script, where the person parameter is passed into a database query without proper sanitization. An attacker can manipulate this argument to inject arbitrary SQL statements. The vulnerability is exploitable remotely over the network and requires low-level privileges. Public exploit details have been disclosed, increasing the likelihood of opportunistic attacks against exposed deployments. The issue is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-74 (Improper Neutralization in Output).
Critical Impact
Remote attackers with low privileges can inject arbitrary SQL through the person parameter, leading to unauthorized read or modification of backend database contents.
Affected Products
- code-projects Job Recruitment 1.0
- Anisha job_recruitment 1.0
- Deployments exposing /_parse/_feedback_system.php
Discovery Timeline
- 2025-01-01 - CVE-2025-0168 published to NVD
- 2025-02-25 - Last updated in NVD database
Technical Details for CVE-2025-0168
Vulnerability Analysis
The vulnerability exists in the feedback handling logic of code-projects Job Recruitment 1.0. The endpoint /_parse/_feedback_system.php accepts a person parameter and concatenates its value directly into an SQL statement. Because the application performs no input validation, type casting, or parameterized query binding, attacker-controlled syntax becomes part of the executed SQL.
Successful exploitation enables read access to database tables, modification of stored records, and potential authentication bypass through boolean-based or UNION-based injection techniques. Depending on the database user's privileges, an attacker may also enumerate schema metadata or write files to disk.
The disclosure has been made public, and proof-of-concept details are referenced in the GitHub advisory entry and on VulDB entry 289917.
Root Cause
The root cause is direct concatenation of untrusted HTTP request input into an SQL query string. The person argument is not sanitized, escaped, or bound through prepared statements before being passed to the MySQL backend.
Attack Vector
An attacker sends a crafted HTTP request to /_parse/_feedback_system.php containing a malicious payload in the person parameter. No user interaction is required. The attack path is network-accessible and works against any internet-exposed instance of the application.
No verified exploitation code is published in vendor-controlled channels. Refer to the VulDB submission record 473107 for technical detail on the disclosed payload format.
Detection Methods for CVE-2025-0168
Indicators of Compromise
- HTTP requests to /_parse/_feedback_system.php containing SQL meta-characters such as single quotes, UNION, SELECT, --, or OR 1=1 in the person parameter.
- Unexpected database errors in PHP or MySQL logs originating from the feedback handler.
- Outbound database queries referencing information_schema or mysql.user from the web application context.
Detection Strategies
- Inspect web server access logs for anomalous person parameter values, particularly URL-encoded SQL syntax.
- Deploy a Web Application Firewall (WAF) signature targeting SQL injection patterns against the feedback endpoint.
- Enable MySQL general query logging temporarily and correlate suspicious queries with HTTP request timestamps.
Monitoring Recommendations
- Alert on HTTP 500 responses returned by /_parse/_feedback_system.php, which often indicate failed injection attempts.
- Monitor for sudden spikes in request volume to the feedback endpoint from single source IPs.
- Track database account activity for unusual SELECT patterns against authentication or user tables.
How to Mitigate CVE-2025-0168
Immediate Actions Required
- Restrict public access to /_parse/_feedback_system.php via firewall or .htaccess rules until a patched build is available.
- Audit all feedback table records for unauthorized inserts or modifications since deployment.
- Rotate database credentials used by the application if logs show evidence of injection attempts.
Patch Information
No official vendor patch has been published at the time of NVD update on 2025-02-25. Track the vendor site at code-projects.org for future releases. Organizations should consider replacing the application or applying source-level fixes that convert the vulnerable query to a prepared statement using PDO or mysqli parameter binding.
Workarounds
- Modify the affected PHP source to use parameterized queries with bound parameters for the person argument.
- Apply server-side input validation that rejects non-alphanumeric characters in the person field.
- Place the application behind a WAF configured with OWASP Core Rule Set protections for SQL injection.
# Example ModSecurity rule blocking SQLi patterns on the feedback endpoint
SecRule REQUEST_URI "@contains /_parse/_feedback_system.php" \
"id:1000168,phase:2,deny,status:403,\
chain,msg:'CVE-2025-0168 SQLi attempt on person parameter'"
SecRule ARGS:person "@detectSQLi" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
