CVE-2025-11902 Overview
CVE-2025-11902 is a SQL injection vulnerability in yanyutao0402 ChanCMS versions up to 3.3.2. The flaw resides in the findField function within the /cms/article/findField endpoint. Attackers can manipulate the cid parameter to inject arbitrary SQL statements against the backend database. The attack is remotely exploitable and requires only low-privilege authentication.
The vulnerability is classified under [CWE-89] (SQL Injection) and [CWE-74] (Improper Neutralization of Special Elements). The exploit details are publicly disclosed. The vendor was contacted prior to disclosure but did not respond.
Critical Impact
Authenticated remote attackers can extract, modify, or delete database content through the cid parameter of the article findField endpoint.
Affected Products
- yanyutao0402 ChanCMS versions up to and including 3.3.2
- Deployments exposing the /cms/article/findField endpoint
- Installations using the vulnerable findField function without input sanitization
Discovery Timeline
- 2025-10-17 - CVE-2025-11902 published to the National Vulnerability Database (NVD)
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-11902
Vulnerability Analysis
The vulnerability exists in the findField function of the ChanCMS article module at the /cms/article/findField route. The function accepts a cid argument supplied via an HTTP request and incorporates it into a backend SQL query without proper sanitization or parameterization. An attacker who can reach the endpoint can append SQL operators and statements to the cid value to alter the resulting query.
This class of injection allows attackers to enumerate database schema, exfiltrate records, bypass authentication logic that relies on database lookups, or in some configurations execute administrative database operations. Because ChanCMS is a content management platform, the exposed database typically contains user credentials, session data, and published content.
Root Cause
The root cause is improper neutralization of special characters used in SQL commands, as described in [CWE-89]. The findField handler concatenates the user-controlled cid value directly into a SQL statement rather than using parameterized queries or a prepared statement API. There is no allowlist validation or type enforcement applied to the parameter before the query is executed.
Attack Vector
The attack vector is network-based and requires low privileges with no user interaction. An attacker sends a crafted HTTP request to /cms/article/findField containing a malicious payload in the cid parameter. The malicious string is interpolated into the SQL query and executed by the database engine.
The vulnerability is described in prose because no sanitized proof-of-concept code is provided in the verified data. Technical details and request structure are documented in the GitHub Vulnerability Note and the GitHub Article Field Analysis.
Detection Methods for CVE-2025-11902
Indicators of Compromise
- HTTP requests to /cms/article/findField containing SQL meta-characters in the cid parameter such as single quotes, UNION, SELECT, SLEEP, or comment markers (--, #, /*).
- Unexpected database error messages logged by the ChanCMS application following requests to the findField endpoint.
- Anomalous query patterns originating from the ChanCMS database user, including schema enumeration against information_schema.
Detection Strategies
- Deploy a web application firewall (WAF) rule that inspects requests to /cms/article/findField for SQL injection signatures in the cid argument.
- Enable verbose SQL query logging on the database backing ChanCMS and alert on queries containing union-based or boolean-based injection patterns.
- Correlate authentication events with requests to the vulnerable endpoint to identify low-privileged accounts probing the parameter.
Monitoring Recommendations
- Monitor HTTP access logs for repeated requests to /cms/article/findField from a single source, especially with varying cid payload lengths indicative of automated tooling such as sqlmap.
- Track outbound data volume from the ChanCMS database host to detect bulk exfiltration following successful exploitation.
- Alert on creation of new administrative accounts or modifications to authentication tables in the ChanCMS database.
How to Mitigate CVE-2025-11902
Immediate Actions Required
- Restrict network access to the ChanCMS administrative interface and the /cms/article/findField endpoint using IP allowlisting or reverse proxy authentication.
- Audit existing ChanCMS accounts and rotate credentials for any low-privilege users that could reach the vulnerable endpoint.
- Review database logs from the date of installation onward for evidence of injection attempts against the cid parameter.
Patch Information
No vendor patch is currently published. The vendor was contacted prior to disclosure but did not respond, according to the CVE record. Operators should monitor the ChanCMS project repository and the VulDB entry #328912 for future updates. Until a fix is released, defensive controls and code-level mitigations must compensate.
Workarounds
- Apply a WAF rule that blocks SQL meta-characters and known injection keywords in the cid parameter of requests to /cms/article/findField.
- If self-maintaining the deployment, modify the findField function to use parameterized queries or an ORM binding rather than string concatenation for the cid value.
- Enforce strict type validation on the cid parameter, accepting only the expected integer or identifier format before passing the value to any database operation.
# Example nginx rule to block SQL meta-characters in the cid parameter
location /cms/article/findField {
if ($arg_cid ~* "('|\"|;|--|/\*|union|select|sleep|benchmark)") {
return 403;
}
proxy_pass http://chancms_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

