CVE-2025-10218 Overview
A SQL injection vulnerability has been identified in lostvip-com ruoyi-go version 2.1. This security flaw affects the SelectListPage function within the file modules/system/dao/SysRoleDao.go of the Background Management Page component. Attackers can manipulate the sortName argument to inject malicious SQL commands, potentially compromising the integrity and confidentiality of the database. Remote exploitation of this vulnerability is possible, and proof-of-concept details have been publicly disclosed.
Critical Impact
Authenticated attackers can exploit this SQL injection to extract sensitive data, modify database contents, or potentially escalate privileges within the application through manipulation of the sortName parameter in the Background Management Page.
Affected Products
- lostvip ruoyi-go version 2.1
Discovery Timeline
- 2025-09-10 - CVE-2025-10218 published to NVD
- 2025-10-16 - Last updated in NVD database
Technical Details for CVE-2025-10218
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) stems from improper input validation in the ruoyi-go Background Management Page. The SelectListPage function in modules/system/dao/SysRoleDao.go fails to properly sanitize the sortName argument before incorporating it into SQL queries. This allows an authenticated attacker with low privileges to inject arbitrary SQL commands that execute within the context of the database user.
The vulnerability falls under the broader category of injection attacks (CWE-74), where untrusted input is processed without adequate validation. The network-accessible nature of the Background Management Page means attackers can exploit this remotely without requiring physical access to the system.
Root Cause
The root cause of this vulnerability is the lack of proper input sanitization and parameterized queries in the SelectListPage function. The sortName parameter is directly concatenated into SQL statements without escaping or validation, allowing attackers to break out of the intended query structure and inject their own SQL commands. This is a classic SQL injection pattern where dynamic SQL construction with user-controlled input creates a direct path for database manipulation.
Attack Vector
The attack vector for CVE-2025-10218 is network-based, requiring only low-privilege authenticated access to the Background Management Page. An attacker can craft malicious requests containing SQL injection payloads in the sortName parameter. When the SelectListPage function processes these requests, the injected SQL is executed against the backend database.
The exploitation chain involves:
- Authenticating to the ruoyi-go application with any valid user credentials
- Navigating to or interacting with the Background Management Page
- Submitting a crafted request with SQL injection payload in the sortName parameter
- The unsanitized input is passed to SysRoleDao.go where it's incorporated into database queries
- The injected SQL executes, allowing data extraction, modification, or further exploitation
Technical details regarding this vulnerability can be found in the GitHub Issue Tracking CVE and the VulDB CVE Analysis #323486.
Detection Methods for CVE-2025-10218
Indicators of Compromise
- Unusual or malformed SQL syntax appearing in application logs related to the Background Management Page
- Unexpected database queries containing common SQL injection patterns such as UNION SELECT, OR 1=1, or comment sequences (--, /**/)
- Anomalous access patterns to the SelectListPage function or SysRoleDao.go endpoints
- Evidence of data exfiltration or unauthorized database modifications in audit logs
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in the sortName parameter
- Monitor application logs for requests to the Background Management Page containing suspicious characters or SQL keywords
- Deploy database activity monitoring to identify unusual query patterns or unexpected data access
- Use SentinelOne's application control features to detect anomalous behavior in Go-based web applications
Monitoring Recommendations
- Enable detailed logging for all requests to the ruoyi-go Background Management Page
- Configure alerting on database errors that may indicate failed SQL injection attempts
- Monitor for changes in database schema or unexpected privilege escalations
- Implement real-time analysis of HTTP request parameters for SQL injection indicators
How to Mitigate CVE-2025-10218
Immediate Actions Required
- Restrict network access to the Background Management Page to trusted IP addresses only
- Implement input validation on the sortName parameter at the application or WAF level
- Review and audit user accounts with access to the Background Management Page
- Monitor for exploitation attempts while awaiting a vendor patch
Patch Information
The vendor (lostvip) was contacted early about this disclosure but did not respond. As of the last update on 2025-10-16, no official patch has been released. Organizations using ruoyi-go 2.1 should implement the workarounds below and consider alternative solutions if the vendor remains unresponsive.
For the latest information, refer to the VulDB entry #323486.
Workarounds
- Deploy a web application firewall (WAF) configured to block SQL injection patterns in requests to the affected endpoints
- Implement application-level input validation to sanitize the sortName parameter before processing
- Restrict access to the Background Management Page to essential personnel only using network segmentation or access control lists
- Consider modifying the SysRoleDao.go source code to use parameterized queries if you have access to the codebase
# Example WAF rule to block SQL injection in sortName parameter
# ModSecurity rule example
SecRule ARGS:sortName "@detectSQLi" \
"id:100001,\
phase:2,\
block,\
msg:'SQL Injection attempt detected in sortName parameter',\
log,\
severity:CRITICAL"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
