CVE-2025-13580: Library System SQL Injection Flaw

CVE-2025-13580 Overview

CVE-2025-13580 is a SQL injection vulnerability in code-projects Library System 1.0. The flaw resides in the /mail.php script, where the ID parameter is concatenated into a database query without proper sanitization. Remote attackers with low-privilege access can manipulate the ID argument to inject arbitrary SQL statements. The exploit details have been publicly disclosed, increasing the likelihood of opportunistic attacks against exposed installations. The vulnerability is categorized under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command) and [CWE-74] (Improper Neutralization of Special Elements in Output).

Critical Impact

Authenticated remote attackers can inject SQL through the ID parameter in /mail.php, exposing library system data to unauthorized read, modification, or limited disruption.

Affected Products

• code-projects Library System 1.0
• Deployments using cpe:2.3:a:code-projects:library_system:1.0
• Web-facing PHP installations exposing /mail.php

Discovery Timeline

• 2025-11-24 - CVE-2025-13580 published to NVD
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-13580

Vulnerability Analysis

The vulnerability stems from unsanitized user input passed to a SQL query within /mail.php. The ID parameter accepted via HTTP request is directly concatenated into a database statement. Attackers can supply SQL metacharacters and crafted payloads to alter the query logic. Because the injection occurs in a script handling mail-related functionality, attackers can probe adjacent tables containing user records, credentials, or correspondence data. Public disclosure of the exploit details lowers the technical barrier for exploitation. The EPSS score of 0.267% reflects current low observed exploitation activity, though publicly available SQL injection payloads make reliable weaponization straightforward.

Root Cause

The root cause is the absence of parameterized queries or prepared statements when handling the ID request parameter in /mail.php. The application performs string concatenation to build SQL queries, allowing attacker-controlled input to break out of the intended query context. Input validation routines do not enforce a numeric type constraint on ID, nor does the code apply escaping appropriate to the database driver in use.

Attack Vector

Exploitation requires network access to the application and low-privilege authentication. An attacker submits a crafted HTTP request to /mail.php with a malicious ID value containing SQL syntax such as UNION SELECT clauses, boolean-based blind payloads, or time-based payloads. Successful injection enables data extraction from the underlying MySQL database, modification of stored records, or limited denial-of-service via expensive queries. No user interaction is required beyond the attacker's session.

For technical specifics, see the GitHub Issue Discussion and VulDB Entry #333344.

Detection Methods for CVE-2025-13580

Indicators of Compromise

• HTTP requests to /mail.php containing SQL metacharacters such as single quotes, UNION, SELECT, --, or /* in the ID parameter
• Web server access logs showing unusually long or URL-encoded ID values targeting /mail.php
• Database error messages returned in HTTP responses referencing MySQL syntax errors
• Repeated requests to /mail.php from a single source IP with incrementing or fuzzed ID values

Detection Strategies

• Deploy web application firewall (WAF) rules that flag SQL injection signatures targeting the ID parameter on /mail.php
• Enable verbose query logging on the MySQL backend and alert on syntactically anomalous queries originating from the Library System application user
• Correlate web access logs with database error logs to identify successful injection attempts
• Monitor for outbound data volume spikes from the database host, which may indicate bulk extraction via UNION-based injection

Monitoring Recommendations

• Forward web server, application, and database logs to a centralized analytics platform for cross-source correlation
• Establish baselines for request volume and parameter length on /mail.php to detect deviations
• Alert on HTTP 500 responses from /mail.php, which often accompany injection probing
• Review authentication logs for low-privilege accounts performing unusual access patterns against library endpoints

How to Mitigate CVE-2025-13580

Immediate Actions Required

• Restrict network access to the Library System application to trusted users until a fix is applied
• Audit /mail.php source code and replace string-concatenated SQL with prepared statements using PDO or mysqli parameter binding
• Enforce strict type validation on the ID parameter, rejecting any value that is not a positive integer
• Rotate database credentials and review database accounts to ensure the application user holds least-privilege permissions

Patch Information

No official vendor patch has been published for code-projects Library System 1.0 at the time of this writing. Administrators should monitor code-projects.org for vendor updates and consider deploying compensating controls. Where possible, migrate to a maintained library management platform that follows secure coding practices.

Workarounds

• Place the application behind a WAF configured to block SQL injection payloads targeting the ID parameter
• Implement server-side input validation that casts ID to an integer before use, for example via intval($_GET['ID']) in PHP
• Disable verbose database error reporting in the application configuration to limit information leakage to attackers
• Configure the database account used by the application with read-only access where write operations are not required

# Example ModSecurity rule to block SQL injection on /mail.php ID parameter
SecRule REQUEST_URI "@beginsWith /mail.php" \
    "id:1013580,phase:2,deny,status:403,\
    chain,msg:'CVE-2025-13580 SQLi attempt on mail.php ID parameter'"
    SecRule ARGS:ID "@detectSQLi" \
        "t:none,t:urlDecodeUni,t:lowercase"