CVE-2025-10218 Overview
CVE-2025-10218 is a SQL injection vulnerability in lostvip-com ruoyi-go version 2.1. The flaw resides in the SelectListPage function within modules/system/dao/SysRoleDao.go, part of the Background Management Page component. Attackers can manipulate the sortName argument to inject arbitrary SQL statements. Remote exploitation is possible over the network and requires low-privilege authentication. The exploit has been published publicly. The vendor was contacted prior to disclosure but did not respond. The vulnerability is tracked under [CWE-89] (SQL Injection) and [CWE-74] (Improper Neutralization of Special Elements).
Critical Impact
Authenticated remote attackers can inject SQL through the sortName parameter, enabling unauthorized data access, modification, or disclosure within the application database.
Affected Products
- lostvip-com ruoyi-go 2.1
- modules/system/dao/SysRoleDao.go (SelectListPage function)
- Background Management Page component
Discovery Timeline
- 2025-09-10 - CVE-2025-10218 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-10218
Vulnerability Analysis
The vulnerability stems from improper neutralization of user-supplied input in the SelectListPage function of SysRoleDao.go. The sortName parameter is concatenated directly into an SQL ORDER BY clause without sanitization or parameterization. Because ORDER BY arguments cannot be bound through prepared statements in most database drivers, developers must validate column names against an allowlist. The ruoyi-go implementation does not perform this validation. The vulnerability requires authenticated access to the background management interface but no user interaction. Public exploit material is available, increasing the risk of opportunistic exploitation against exposed deployments.
Root Cause
The root cause is unsafe string concatenation of the sortName request parameter into a dynamic SQL query within the data access layer. The function trusts the client-supplied sort identifier and passes it directly to the database driver. No input validation, escaping, or column-name allowlist is enforced before query execution.
Attack Vector
An authenticated attacker submits a crafted request to an endpoint that invokes SelectListPage, supplying a malicious sortName value. The injected payload alters the resulting SQL statement, allowing the attacker to extract data, manipulate query results, or perform time-based blind injection. The attack requires network access to the management interface and valid low-privilege credentials.
No verified exploitation code is provided here. Public references with technical details are available through the GitHub Issue tracking CVE-2025-10218 and the VulDB entry #323486.
Detection Methods for CVE-2025-10218
Indicators of Compromise
- HTTP requests to background management endpoints containing SQL keywords (UNION, SELECT, SLEEP, --) within the sortName parameter.
- Database error messages or anomalous query latency correlating with management UI requests.
- Unexpected access patterns to the sys_role table or related role-management queries.
Detection Strategies
- Inspect web access logs for the sortName parameter and flag values containing SQL metacharacters, whitespace, or non-alphanumeric content.
- Deploy a web application firewall (WAF) with SQL injection signatures applied to management routes of ruoyi-go.
- Enable database query logging and alert on queries from the application user containing unusual ORDER BY clauses.
Monitoring Recommendations
- Monitor authentication logs for low-privilege accounts issuing administrative requests outside normal patterns.
- Track query execution time on role-listing endpoints to identify potential time-based blind SQL injection attempts.
- Correlate WAF, application, and database telemetry to identify multi-stage injection probes.
How to Mitigate CVE-2025-10218
Immediate Actions Required
- Restrict network access to the ruoyi-go background management interface using firewall rules or VPN.
- Rotate credentials for any accounts with access to the management UI until a patch is applied.
- Apply WAF rules to block SQL metacharacters in the sortName parameter on affected endpoints.
Patch Information
No vendor patch is available at this time. The vendor did not respond to disclosure attempts according to the published advisory. Affected organizations should apply compensating controls and consider source-level fixes by modifying SelectListPage in modules/system/dao/SysRoleDao.go to validate sortName against an allowlist of permitted column names.
Workarounds
- Implement an allowlist in application code that maps client-supplied sort identifiers to known-safe column names before query construction.
- Remove or restrict the affected role-listing endpoint until source-level remediation is in place.
- Run the database account used by ruoyi-go with the minimum privileges required, reducing the impact of successful injection.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
