CVE-2025-13121 Overview
A SQL Injection vulnerability has been identified in cameasy Liketea version 1.0.0. The vulnerability exists in the list function within the file laravel/app/Http/Controllers/Front/StoreController.php of the API Endpoint component. Improper handling of the lng and lat parameters allows attackers to inject malicious SQL code, potentially compromising the underlying database. The attack can be performed remotely without authentication, and a proof-of-concept exploit has been publicly disclosed.
Critical Impact
Remote attackers can exploit unsanitized geographic coordinate parameters to execute arbitrary SQL queries, potentially leading to unauthorized data access, data manipulation, or complete database compromise.
Affected Products
- cameasy Liketea 1.0.0
- Laravel-based installations using the vulnerable StoreController.php
- API endpoints accepting lng and lat parameters
Discovery Timeline
- 2025-11-13 - CVE-2025-13121 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-13121
Vulnerability Analysis
This SQL Injection vulnerability (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) resides in the store listing functionality of the Liketea application. The vulnerable endpoint processes geographic coordinates (lng for longitude and lat for latitude) without proper input validation or parameterized queries. When user-supplied values are directly concatenated into SQL queries, attackers can manipulate the query structure to extract sensitive information, modify data, or bypass authentication mechanisms.
The vulnerability is accessible over the network and requires no prior authentication or user interaction to exploit. This makes it particularly dangerous for publicly accessible Liketea deployments. The exploit has been publicly disclosed, increasing the likelihood of opportunistic attacks against unpatched systems.
Root Cause
The root cause of this vulnerability is the lack of proper input sanitization and the absence of parameterized queries in the StoreController.php file. When the list function processes the lng and lat parameters from API requests, these values are incorporated directly into database queries without escaping special characters or using prepared statements. This allows attackers to break out of the intended query context and inject arbitrary SQL commands.
Attack Vector
The attack is conducted remotely through the API endpoint that handles store listing requests. An attacker crafts malicious HTTP requests containing SQL injection payloads in the lng or lat parameters. Since the application fails to validate these inputs as legitimate geographic coordinates, the injected SQL code is executed against the database with the same privileges as the application's database user.
The vulnerability can be exploited to perform various malicious actions including extracting sensitive user data, modifying or deleting database records, and potentially gaining further access to the underlying server depending on database configuration and privileges.
For technical details on exploitation methods, refer to the GitHub PoC Repository and VulDB #332349 Details.
Detection Methods for CVE-2025-13121
Indicators of Compromise
- Unusual or malformed values in lng and lat parameters in web server access logs
- Database query logs showing unexpected SQL syntax or UNION-based injection patterns
- Error messages in application logs indicating SQL syntax errors from the StoreController.php file
- Unexpected data extraction or modification in store-related database tables
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in geographic coordinate parameters
- Configure intrusion detection systems (IDS) to alert on requests containing SQL keywords in API parameters
- Enable detailed logging for the API endpoint and monitor for anomalous request patterns
- Deploy runtime application self-protection (RASP) solutions to detect SQL injection attempts at the application level
Monitoring Recommendations
- Monitor database audit logs for unusual query patterns originating from the application
- Set up alerts for failed SQL queries or syntax errors in production environments
- Track API endpoint usage patterns and flag requests with non-numeric values in coordinate fields
- Review web server logs regularly for reconnaissance attempts targeting the store listing endpoint
How to Mitigate CVE-2025-13121
Immediate Actions Required
- Restrict access to the affected API endpoint using firewall rules or authentication requirements
- Implement input validation to ensure lng and lat parameters contain only valid numeric coordinate values
- Apply WAF rules to block SQL injection attempts targeting the vulnerable endpoint
- Consider temporarily disabling the store listing feature if it is not business-critical
Patch Information
At the time of publication, no official vendor patch has been released for this vulnerability. Organizations using cameasy Liketea 1.0.0 should monitor the official project channels for security updates. In the absence of an official patch, implementing the workarounds below is strongly recommended.
For additional vulnerability details, see VulDB Submission #683659.
Workarounds
- Modify the StoreController.php file to use Laravel's Eloquent ORM with parameterized queries instead of raw SQL
- Implement strict input validation that rejects any non-numeric characters in the lng and lat parameters
- Add server-side validation to ensure coordinate values fall within valid geographic ranges (latitude: -90 to 90, longitude: -180 to 180)
- Deploy a reverse proxy or WAF to filter malicious requests before they reach the application
# Example: Laravel input validation middleware configuration
# Add to app/Http/Middleware/ValidateCoordinates.php
# Validate that lng and lat are numeric and within valid ranges
php artisan make:middleware ValidateCoordinates
# Register middleware in app/Http/Kernel.php
# Apply to routes handling store listing functionality
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
