Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-29085

CVE-2025-29085: vipshop Saturn SQL Injection Vulnerability

CVE-2025-29085 is a SQL injection vulnerability in vipshop Saturn v.3.5.1 and earlier versions that enables remote attackers to execute arbitrary code. This article covers technical details, affected systems, and mitigation.

Updated:

CVE-2025-29085 Overview

CVE-2025-29085 is a SQL injection vulnerability affecting vipshop Saturn v.3.5.1 and earlier versions. This vulnerability allows a remote attacker to execute arbitrary code via the /console/dashboard/executorCount?zkClusterKey component. The flaw stems from improper input validation in the dashboard endpoint, enabling attackers to inject malicious SQL queries that can compromise the underlying database and potentially gain control of the affected system.

Critical Impact

Remote attackers can exploit this SQL injection vulnerability without authentication to execute arbitrary code, potentially leading to complete system compromise, data exfiltration, and unauthorized access to sensitive information stored in the Saturn job scheduling platform.

Affected Products

  • vipshop Saturn v.3.5.1
  • vipshop Saturn versions prior to v.3.5.1
  • Saturn job scheduling platform deployments with exposed dashboard endpoints

Discovery Timeline

  • 2025-04-02 - CVE-2025-29085 published to NVD
  • 2025-04-07 - Last updated in NVD database

Technical Details for CVE-2025-29085

Vulnerability Analysis

This vulnerability is classified as CWE-89 (SQL Injection), a critical web application security flaw that occurs when user-supplied data is improperly handled before being incorporated into SQL queries. In the case of CVE-2025-29085, the vulnerable endpoint /console/dashboard/executorCount accepts a zkClusterKey parameter that is not properly sanitized before being used in database queries.

Saturn is a distributed job scheduling platform developed by vipshop. The dashboard component provides administrative functionality for monitoring and managing job executors across the cluster. The executorCount endpoint appears to query the database to retrieve executor statistics based on the ZooKeeper cluster key provided by the user.

The exploitation of this vulnerability requires no authentication and can be performed remotely over the network with low attack complexity. Successful exploitation can lead to complete compromise of confidentiality, integrity, and availability of the affected system.

Root Cause

The root cause of this vulnerability lies in insufficient input validation and improper parameterization of SQL queries within the /console/dashboard/executorCount endpoint. The zkClusterKey parameter is directly concatenated or interpolated into SQL statements without proper sanitization or the use of prepared statements with parameterized queries.

This design flaw allows attackers to break out of the intended query context and inject malicious SQL commands that are executed with the privileges of the database user configured for the Saturn application.

Attack Vector

The attack vector for CVE-2025-29085 is network-based, requiring an attacker to send specially crafted HTTP requests to the vulnerable endpoint. The attack flow typically involves:

  1. An attacker identifies a Saturn deployment with an exposed dashboard interface
  2. The attacker crafts a malicious HTTP request to the /console/dashboard/executorCount endpoint
  3. The zkClusterKey parameter is manipulated to include SQL injection payloads
  4. The unsanitized input is processed by the backend, executing the injected SQL commands
  5. Depending on the payload, the attacker can extract data, modify records, or execute system commands

A proof-of-concept demonstrating this vulnerability is available in the GitHub Gist PoC. Administrators should review this resource to understand the exploitation mechanism and verify their systems are protected.

Detection Methods for CVE-2025-29085

Indicators of Compromise

  • Unusual or malformed requests to /console/dashboard/executorCount endpoint containing SQL syntax characters such as single quotes, semicolons, or UNION SELECT statements
  • Database query logs showing unexpected queries, error messages related to SQL syntax, or queries containing injection patterns
  • Unexpected database modifications, new user accounts, or data exfiltration activity
  • Web server access logs showing repeated requests to dashboard endpoints with varying zkClusterKey parameter values

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the Saturn dashboard endpoints
  • Configure database activity monitoring to alert on anomalous query patterns, failed authentication attempts, or queries containing injection signatures
  • Deploy intrusion detection systems (IDS) with signatures for SQL injection attack patterns in HTTP request parameters
  • Enable detailed logging on Saturn application servers and establish baseline behavior for the dashboard endpoints

Monitoring Recommendations

  • Monitor all HTTP traffic to Saturn dashboard endpoints for suspicious parameter values containing SQL metacharacters
  • Implement real-time alerting for database errors that may indicate SQL injection attempts, such as syntax errors or permission violations
  • Establish network segmentation monitoring to detect potential lateral movement following successful exploitation
  • Review application and database logs regularly for signs of unauthorized access or data extraction

How to Mitigate CVE-2025-29085

Immediate Actions Required

  • Restrict network access to the Saturn dashboard interface to trusted IP addresses only using firewall rules or network ACLs
  • Implement a Web Application Firewall (WAF) with SQL injection protection rules in front of the Saturn deployment
  • Audit all existing database accounts and remove unnecessary privileges from the Saturn application database user
  • Review database logs and application access logs for evidence of prior exploitation attempts

Patch Information

At the time of this publication, administrators should check the official vipshop Saturn repository for security updates addressing CVE-2025-29085. Users running version 3.5.1 or earlier should upgrade to a patched version as soon as one becomes available. Monitor the project's GitHub releases and security advisories for official patches.

The proof-of-concept documentation may contain additional context about affected versions and mitigation approaches.

Workarounds

  • Restrict access to the Saturn console dashboard by implementing IP whitelisting at the network or application layer
  • Deploy a reverse proxy with request filtering capabilities to sanitize input parameters before they reach the Saturn application
  • Disable or remove the /console/dashboard/executorCount endpoint if executor count functionality is not required in your deployment
  • Implement application-level input validation to reject requests containing SQL injection patterns in the zkClusterKey parameter
bash
# Example: Restrict access to Saturn dashboard using iptables
# Allow only trusted management network to access dashboard
iptables -A INPUT -p tcp --dport 9088 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9088 -j DROP

# Example: Nginx reverse proxy with basic SQL injection filtering
# Add to location block for Saturn dashboard
location /console/dashboard/ {
    if ($args ~* "('|--|;|union|select|insert|update|delete|drop)") {
        return 403;
    }
    proxy_pass http://saturn-backend:9088;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne