CVE-2025-22141: Wegia SQL Injection Vulnerability

CVE-2025-22141 Overview

CVE-2025-22141 is a SQL Injection vulnerability in WeGIA, an open-source web manager for charitable institutions. The flaw exists in the /dao/verificar_recursos_cargo.php endpoint, specifically in the cargo parameter. Attackers can inject arbitrary SQL commands to compromise the confidentiality, integrity, and availability of the underlying database. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). WeGIA versions prior to 3.2.8 are affected, and the issue is fixed in version 3.2.8.

Critical Impact
Authenticated attackers can execute arbitrary SQL queries against the WeGIA database, exposing sensitive data on beneficiaries, donors, and staff managed by charitable institutions.

Affected Products

WeGIA versions prior to 3.2.8
Component: wegia:wegia
Vulnerable endpoint: /dao/verificar_recursos_cargo.php

Discovery Timeline

2025-01-08 - CVE-2025-22141 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-22141

Vulnerability Analysis

The vulnerability resides in the /dao/verificar_recursos_cargo.php endpoint of WeGIA. The cargo HTTP parameter is concatenated directly into a SQL query without parameterization or sanitization. This allows an attacker to break out of the intended query context and append arbitrary SQL syntax. Because WeGIA stores records related to charitable operations, including personally identifiable information about beneficiaries and donors, exploitation has direct consequences for data confidentiality. The CVSS 4.0 vector indicates the attack requires only low privileges and no user interaction, and it can be conducted across the network.

Root Cause

The root cause is improper input neutralization in a PHP Data Access Object (DAO) script. The cargo parameter is incorporated into a SQL statement using string concatenation rather than prepared statements with bound parameters. This is a textbook CWE-89 pattern. The WeGIA maintainers addressed the issue in version 3.2.8 by refactoring the affected query, as described in the GitHub Security Advisory GHSA-w7hp-2w2c-p636.

Attack Vector

An attacker with low-privilege access to a WeGIA deployment sends an HTTP request to /dao/verificar_recursos_cargo.php containing a crafted cargo parameter. The payload includes SQL metacharacters such as single quotes, UNION SELECT clauses, or stacked queries. The server executes the injected SQL with the application database user's privileges. Successful exploitation enables data exfiltration, modification, or deletion. No verified public proof-of-concept code is currently available; see the vendor advisory for technical details.

Detection Methods for CVE-2025-22141

Indicators of Compromise

HTTP requests to /dao/verificar_recursos_cargo.php containing SQL metacharacters such as ', --, UNION, SELECT, or ; in the cargo parameter.
Unusually long or URL-encoded values in the cargo parameter that do not match expected job role identifiers.
Web server or PHP error logs referencing database exceptions originating from verificar_recursos_cargo.php.
Unexpected database read or write activity tied to the WeGIA application account.

Detection Strategies

Inspect web access logs for requests targeting /dao/verificar_recursos_cargo.php with non-standard cargo values.
Deploy web application firewall (WAF) rules that flag SQL injection signatures against WeGIA endpoints.
Enable database query logging and alert on queries containing UNION SELECT or INFORMATION_SCHEMA references issued from the WeGIA service account.
Correlate authentication events with anomalous DAO endpoint usage to identify credential misuse.

Monitoring Recommendations

Forward WeGIA web server logs to a centralized logging or SIEM platform for retention and analysis.
Baseline normal request patterns for /dao/ endpoints and alert on deviations in parameter content or request volume.
Monitor the WeGIA database account for queries that touch sensitive tables outside expected DAO call paths.

How to Mitigate CVE-2025-22141

Immediate Actions Required

Upgrade WeGIA to version 3.2.8 or later, which contains the official fix.
Audit existing WeGIA deployments for prior exploitation by reviewing access logs and database query history for the cargo parameter.
Restrict network access to the WeGIA application so that only authorized users can reach the /dao/ endpoints.
Rotate database and application credentials if logs suggest the endpoint was probed or exploited.

Patch Information

The vulnerability is fixed in WeGIA version 3.2.8. Patch details and remediation guidance are documented in the GitHub Security Advisory GHSA-w7hp-2w2c-p636 and the LabRedesCefetRJ mirror advisory. Administrators should follow the project's upgrade documentation and validate the application after upgrading.

Workarounds

If upgrading immediately is not possible, place the WeGIA application behind a WAF configured to block SQL injection patterns on the cargo parameter.
Limit privileges of the database account used by WeGIA to the minimum required tables and operations.
Disable or restrict access to /dao/verificar_recursos_cargo.php via web server rules until the patch is applied.

bash

# Example nginx rule to block requests containing SQL metacharacters in the cargo parameter
location /dao/verificar_recursos_cargo.php {
    if ($arg_cargo ~* "('|--|;|union|select|/\*)") {
        return 403;
    }
}