Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-11904

CVE-2025-11904: Chancms Chancms SQL Injection Vulnerability

CVE-2025-11904 is a SQL injection vulnerability in Chancms Chancms up to version 3.3.2 affecting the hasUse function. Attackers can remotely exploit this flaw to manipulate database queries. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-11904 Overview

CVE-2025-11904 is a SQL injection vulnerability in yanyutao0402 ChanCMS versions up to 3.3.2. The flaw resides in the hasUse function of the /cms/model/hasUse file. Attackers can manipulate the ID argument to inject arbitrary SQL statements into backend database queries. The vulnerability is exploitable remotely and requires low privileges with no user interaction. Public exploit details have been disclosed, and the vendor did not respond to early disclosure attempts. The issue is classified under [CWE-89] (SQL Injection) and [CWE-74] (Improper Neutralization of Special Elements).

Critical Impact

Authenticated remote attackers can manipulate the ID parameter in the hasUse function to execute arbitrary SQL queries against the ChanCMS database, potentially exposing or modifying stored content.

Affected Products

  • ChanCMS versions up to and including 3.3.2
  • Affected file path: /cms/model/hasUse
  • Vulnerable function: hasUse

Discovery Timeline

  • 2025-10-17 - CVE-2025-11904 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-11904

Vulnerability Analysis

The vulnerability stems from improper neutralization of user-supplied input passed to the hasUse function located in /cms/model/hasUse. The ID argument is concatenated into an SQL query without parameterization or sanitization. This allows attackers to break out of the intended query context and append arbitrary SQL clauses.

ChanCMS is a Node.js-based content management system. Database queries constructed through string concatenation in model files expose the application to first-order injection. Because the request is reachable over the network and requires only low-level authenticated privileges, the attack surface is broad for any deployed instance.

Successful exploitation can lead to unauthorized data retrieval, modification of records, or enumeration of database schema. The EPSS score sits at 0.597%, reflecting moderate near-term exploitation probability now that proof-of-concept material is public.

Root Cause

The root cause is the absence of prepared statements or input validation in the hasUse model function. User-controlled ID values are interpolated directly into SQL strings, violating the principle of separating code from data ([CWE-89]).

Attack Vector

An attacker sends a crafted HTTP request to the endpoint invoking the hasUse model, supplying a malicious ID parameter. Because the attack is network-reachable and the complexity is low, automated scanners can identify and exploit vulnerable instances at scale. Refer to the GitHub Vulnerability Note for technical details of the injection point.

// No verified exploit code is published in the enriched data.
// See the linked GitHub vulnerability note for technical specifics.

Detection Methods for CVE-2025-11904

Indicators of Compromise

  • HTTP requests targeting /cms/model/hasUse containing SQL metacharacters such as single quotes, UNION, SELECT, --, or OR 1=1 in the ID parameter.
  • Unexpected database errors or anomalous query latency in ChanCMS application logs.
  • Unusual outbound database connections or large result sets returned from the hasUse endpoint.

Detection Strategies

  • Deploy web application firewall (WAF) rules to flag SQL injection patterns targeting the ID parameter on ChanCMS endpoints.
  • Enable database query logging and alert on syntactically anomalous queries originating from the ChanCMS application user.
  • Inspect application logs for repeated 500-class errors associated with the hasUse function.

Monitoring Recommendations

  • Forward ChanCMS application and database logs to a centralized SIEM for correlation.
  • Monitor authentication logs for low-privileged accounts performing high-volume access to model endpoints.
  • Establish baselines for normal hasUse query patterns and alert on deviations.

How to Mitigate CVE-2025-11904

Immediate Actions Required

  • Restrict network exposure of ChanCMS administrative and model endpoints to trusted networks only.
  • Audit accounts with low-level access and revoke unnecessary credentials that could be leveraged for exploitation.
  • Deploy WAF signatures blocking SQL injection payloads against /cms/model/hasUse.

Patch Information

As of the last NVD update on 2026-06-17, no vendor patch has been published. The vendor was contacted prior to disclosure but did not respond. Monitor the ChanCMS project repository and VulDB entry #328914 for future fix announcements.

Workarounds

  • Place ChanCMS behind a reverse proxy with strict input filtering on the ID parameter.
  • Apply database-level least-privilege controls so the ChanCMS service account cannot modify schema or read sensitive tables.
  • Consider migrating to an alternative CMS until a vendor patch is released, given the absence of vendor response.
bash
# Example WAF rule (ModSecurity) blocking SQLi patterns on the vulnerable path
SecRule REQUEST_URI "@contains /cms/model/hasUse" \
  "id:1011904,phase:2,deny,status:403,\
   chain,msg:'CVE-2025-11904 ChanCMS hasUse SQLi attempt'"
  SecRule ARGS:ID "@detectSQLi" "t:none"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.