CVE-2025-12255: Online Event Judging System SQLi Flaw

CVE-2025-12255 Overview

CVE-2025-12255 is a SQL injection vulnerability in code-projects Online Event Judging System 1.0. The flaw resides in the /add_contestant.php script, where the fullname parameter is passed to a backend SQL query without proper sanitization. An authenticated remote attacker with low privileges can manipulate this parameter to inject arbitrary SQL syntax. Public disclosure of the exploit technique has been reported, increasing the likelihood of opportunistic abuse against exposed installations. The weakness is tracked under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact
Successful exploitation allows attackers to read, modify, or delete contestant and judging records stored in the application database.

Affected Products

Carmelo Online Event Judging System 1.0
Component: /add_contestant.php
Vulnerable parameter: fullname

Discovery Timeline

2025-10-27 - CVE-2025-12255 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-12255

Vulnerability Analysis

The vulnerability stems from improper neutralization of user-supplied input in the contestant registration workflow. The add_contestant.php endpoint accepts a fullname parameter from an HTTP request and concatenates the value directly into a SQL statement. Because the application does not use parameterized queries or input sanitization, attacker-controlled SQL syntax is interpreted by the database engine.

Exploitation requires network access to the application and a low-privilege authenticated session. No user interaction is needed. According to the EPSS model dated 2026-06-02, the probability of exploitation activity is 0.031%, but public release of the exploit lowers the operational barrier for attackers.

Root Cause

The root cause is the absence of prepared statements or input validation when handling the fullname field in /add_contestant.php. User input flows directly into a SQL query, allowing the injection of operators such as UNION, OR, and stacked statements. This is a classic injection pattern aligned with [CWE-74].

Attack Vector

The attack vector is network-based. An attacker submits a crafted POST or GET request to /add_contestant.php, embedding SQL metacharacters in the fullname parameter. The injected payload executes against the backend database with the privileges of the application's database user, enabling data extraction, modification, or destructive operations against contestant and judging records.

No verified exploit code is published in this advisory. Refer to the GitHub CVE Issue #3 and VulDB #329926 for technical references.

Detection Methods for CVE-2025-12255

Indicators of Compromise

HTTP requests to /add_contestant.php containing SQL keywords such as UNION, SELECT, SLEEP, or -- in the fullname parameter.
Unexpected database errors or anomalously long response times originating from the contestant registration endpoint.
New or modified rows in contestant tables that do not match legitimate registration activity.

Detection Strategies

Deploy a web application firewall rule that inspects POST/GET parameters to /add_contestant.php for SQL metacharacters and common injection signatures.
Enable database query logging and alert on queries originating from the application that contain tautologies (e.g., OR 1=1) or stacked statements.
Correlate authentication logs with abnormal contestant registration volume from a single session or IP.

Monitoring Recommendations

Forward web server, application, and database logs to a centralized log platform for retention and query.
Baseline normal add_contestant.php request patterns and alert on deviations in payload length or character composition.
Monitor outbound database traffic for unexpected INFORMATION_SCHEMA enumeration patterns.

How to Mitigate CVE-2025-12255

Immediate Actions Required

Restrict network access to the Online Event Judging System 1.0 application until a patched build is available.
Audit existing contestant records for unauthorized modifications and rotate any credentials stored in or accessible from the application database.
Place a WAF in front of the application to block requests containing SQL injection signatures targeting the fullname parameter.

Patch Information

At the time of publication, no vendor-supplied patch is referenced in the NVD entry. Administrators should monitor the Code Projects Resource page and the VulDB CTIIID #329926 advisory for vendor updates. Until an official fix is released, code maintainers should refactor add_contestant.php to use parameterized queries (e.g., PDO prepared statements) and apply strict input validation on the fullname field.

Workarounds

Apply server-side input validation that rejects non-alphanumeric characters in the fullname field where business logic permits.
Run the application's database account with least-privilege rights, restricting DDL operations and access to unrelated schemas.
Enforce authenticated access to the registration workflow and rate-limit submissions per session.

bash

# Example ModSecurity rule to block SQLi attempts against add_contestant.php
SecRule REQUEST_URI "@contains /add_contestant.php" \
    "id:1012255,phase:2,deny,status:403,\
    msg:'Possible SQLi targeting CVE-2025-12255',\
    chain"
    SecRule ARGS:fullname "@rx (?i)(union(\s|/\*)+select|or\s+1=1|--|;\s*drop)" \
        "t:none,t:urlDecodeUni"