Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10210

CVE-2025-10210: Chancms Chancms SQL Injection Vulnerability

CVE-2025-10210 is a SQL injection vulnerability in Chancms Chancms affecting versions up to 3.3.0 that allows remote attackers to manipulate database queries. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-10210 Overview

CVE-2025-10210 is a SQL injection vulnerability affecting yanyutao0402 ChanCMS versions up to 3.3.0. The flaw resides in the Search function of app/modules/api/service/Api.js. Attackers can manipulate the key argument to inject arbitrary SQL statements into backend database queries. The vulnerability is exploitable remotely over the network and requires low privileges. Public exploit details have been released, increasing the risk of opportunistic attacks against exposed installations. The vendor was contacted prior to public disclosure but did not respond, leaving affected users without an official remediation timeline.

Critical Impact

Remote attackers with low-privileged access can inject SQL commands through the ChanCMS search API, potentially exposing or altering database contents.

Affected Products

  • yanyutao0402 ChanCMS versions up to and including 3.3.0
  • Component: app/modules/api/service/Api.js
  • Function: Search

Discovery Timeline

  • 2025-09-10 - CVE-2025-10210 published to the National Vulnerability Database (NVD)
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-10210

Vulnerability Analysis

The vulnerability is classified under CWE-74 as improper neutralization of special elements in output used by a downstream component (injection). It specifically manifests as SQL injection in the ChanCMS public-facing search API. An attacker submits crafted input through the key parameter, which is concatenated into a SQL query without proper sanitization or parameterization. The resulting query alters the intended database operation, enabling attackers to read, modify, or enumerate database records. Because the vulnerable endpoint is reachable across the network, exploitation does not require local access.

Root Cause

The Search method in app/modules/api/service/Api.js accepts the key user input and incorporates it into a database query without using prepared statements or proper escaping. This failure to neutralize special SQL characters allows attacker-controlled values to break out of the intended query context.

Attack Vector

Exploitation occurs over the network against the ChanCMS API search endpoint. An attacker with low-privileged access supplies a malicious key parameter containing SQL metacharacters. The injected fragment modifies the query logic to extract data, bypass filters, or alter records. Public proof-of-concept material is referenced in the GitHub PoC Section and the VulDB #323483 entry, which lowers the barrier to opportunistic exploitation.

Detection Methods for CVE-2025-10210

Indicators of Compromise

  • Unusual or malformed values for the key parameter in HTTP requests targeting ChanCMS API search endpoints, including SQL syntax such as UNION SELECT, OR 1=1, or stacked queries.
  • Unexpected database errors logged by the ChanCMS Node.js application correlated with API search traffic.
  • Spikes in outbound database query volume or query latency originating from the Search function.

Detection Strategies

  • Inspect web server and application logs for requests to ChanCMS search routes containing SQL keywords or encoded SQL metacharacters in the key parameter.
  • Deploy Web Application Firewall (WAF) signatures tuned to detect SQL injection patterns against the ChanCMS API path.
  • Enable database query auditing to flag unusual SELECT, UNION, or schema-enumeration queries originating from the ChanCMS service account.

Monitoring Recommendations

  • Continuously monitor authentication logs for low-privileged accounts performing repeated search API calls.
  • Alert on HTTP 500 responses or stack traces returned from Api.js that may indicate probing.
  • Correlate API search activity with database response sizes to identify mass data extraction attempts.

How to Mitigate CVE-2025-10210

Immediate Actions Required

  • Restrict network exposure of the ChanCMS API search endpoint to trusted users until a vendor patch is available.
  • Place a WAF in front of ChanCMS with rules blocking SQL injection payloads in the key parameter.
  • Audit database accounts used by ChanCMS to enforce least privilege, limiting the impact of successful injection.

Patch Information

No official vendor patch is available at the time of publication. The vendor did not respond to disclosure outreach according to the CVE record. Operators should track the VulDB #323483 CTI entry and the project repository for future fixes, and consider freezing deployments at a known configuration until a patched release is published.

Workarounds

  • Apply input validation at a reverse proxy to reject key values containing SQL metacharacters such as quotes, semicolons, or comment markers.
  • Modify the Search function in app/modules/api/service/Api.js to use parameterized queries or an ORM-provided query builder instead of string concatenation.
  • Disable or remove the public search API if it is not required by the deployment.
  • Rotate database credentials and review database contents for unauthorized modifications if exploitation is suspected.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.