CVE-2025-10105 Overview
CVE-2025-10105 is a SQL injection vulnerability in yanyutao0402 ChanCMS versions up to 3.3.1. The flaw resides in the /cms/article/search endpoint, where the keyword argument is incorporated into a database query without proper sanitization. Remote attackers with low-level privileges can manipulate the keyword parameter to inject arbitrary SQL statements. The exploit has been publicly disclosed, increasing the likelihood of opportunistic abuse against unpatched instances. The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Authenticated remote attackers can manipulate SQL queries via the keyword parameter on /cms/article/search, potentially exposing or altering database contents in ChanCMS deployments.
Affected Products
- ChanCMS versions up to and including 3.3.1
- Vendor: chancms (yanyutao0402/ChanCMS)
- Component: /cms/article/search endpoint
Discovery Timeline
- 2025-09-08 - CVE-2025-10105 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-10105
Vulnerability Analysis
The vulnerability affects the article search functionality in ChanCMS, a content management system maintained on GitHub. The keyword request parameter sent to /cms/article/search is concatenated into a backend SQL query without parameterization or input neutralization. An attacker supplying crafted SQL syntax through this parameter can alter the structure of the executed query.
Exploitation requires network access and low-privilege authentication, but no user interaction. Successful attacks may read, modify, or delete data within the underlying database, depending on the privileges assigned to the application's database user. The vulnerability is tracked under [CWE-74] for improper neutralization of special elements passed to a downstream interpreter.
Root Cause
The root cause is insufficient input validation and the absence of parameterized queries when handling the keyword argument in the article search routine. User-supplied content flows directly into a SQL statement, allowing injection payloads to be interpreted as query syntax rather than literal data.
Attack Vector
A remote attacker authenticates to the ChanCMS instance and issues an HTTP request to /cms/article/search containing a malicious keyword value. The injected SQL is executed against the application database. Public discussion of the issue and the proof-of-concept exists in the GitHub Issue Discussion and the VulDB entry #323072.
No verified exploit code is reproduced here. Refer to the linked references for technical specifics.
Detection Methods for CVE-2025-10105
Indicators of Compromise
- HTTP requests to /cms/article/search containing SQL meta-characters such as single quotes, UNION, SELECT, --, or /* within the keyword parameter.
- Unusual database error messages returned by the ChanCMS application following search requests.
- Anomalous outbound database queries or oversized result sets originating from the ChanCMS web process.
Detection Strategies
- Deploy web application firewall (WAF) signatures that inspect the keyword query parameter for SQL injection patterns on the /cms/article/search route.
- Enable database audit logging to capture queries containing concatenated keyword strings from the application user account.
- Correlate authenticated session activity with bursts of search requests to identify probing behavior.
Monitoring Recommendations
- Monitor web server access logs for repeated /cms/article/search requests from a single source, especially with encoded payloads.
- Track HTTP 500 responses and database driver exceptions tied to the search endpoint.
- Review authenticated user accounts that issue search requests outside of normal browsing patterns.
How to Mitigate CVE-2025-10105
Immediate Actions Required
- Restrict access to the ChanCMS administrative and authenticated areas to trusted networks until a patched version is deployed.
- Apply WAF rules that block SQL injection patterns targeting the keyword parameter of /cms/article/search.
- Review database logs for evidence of prior exploitation attempts against the search endpoint.
Patch Information
No official vendor patch URL is referenced in the NVD record at publication time. Track the upstream yanyutao0402/ChanCMS repository and the GitHub Issue Discussion for updates beyond version 3.3.1. Verify any fix by confirming that the keyword parameter is handled through parameterized queries or a query builder with bound parameters.
Workarounds
- Disable or restrict the /cms/article/search endpoint at the reverse proxy or web server layer until an updated build is available.
- Enforce least-privilege database credentials for the ChanCMS application user, limiting SELECT, INSERT, UPDATE, and schema-level permissions.
- Add server-side input validation that rejects non-alphanumeric characters in the keyword field where feasible.
# Example NGINX rule to block suspicious keyword payloads on the search endpoint
location /cms/article/search {
if ($arg_keyword ~* "(union|select|insert|update|delete|--|/\*|;|')") {
return 403;
}
proxy_pass http://chancms_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

