Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-4113

CVE-2025-4113: Curfew E-pass Management System SQLi Flaw

CVE-2025-4113 is a critical SQL injection vulnerability in PHPGurukul Curfew E-pass Management System 1.0 affecting the admin panel. Attackers can exploit this remotely via the editid parameter. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-4113 Overview

CVE-2025-4113 is a SQL injection vulnerability in PHPGurukul Curfew e-Pass Management System 1.0. The flaw resides in the /admin/edit-pass-detail.php script, where the editid parameter is passed directly into a database query without proper sanitization. An authenticated attacker with low-privilege administrative access can manipulate this parameter remotely to inject arbitrary SQL statements. The exploit details have been publicly disclosed, increasing the risk of opportunistic exploitation against exposed instances. The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact

Remote attackers can inject SQL statements through the editid parameter, potentially exposing or modifying pass records, administrator credentials, and other application data.

Affected Products

  • PHPGurukul Curfew e-Pass Management System 1.0
  • Component: /admin/edit-pass-detail.php
  • Vulnerable parameter: editid

Discovery Timeline

  • 2025-04-30 - CVE-2025-4113 published to the National Vulnerability Database (NVD)
  • 2025-05-13 - Last updated in NVD database

Technical Details for CVE-2025-4113

Vulnerability Analysis

The vulnerability exists in the administrative edit workflow of the Curfew e-Pass Management System. When an administrator accesses /admin/edit-pass-detail.php, the application reads the editid request parameter and incorporates it into a SQL query against the backend database. The application does not apply parameterized queries or input validation before using the value. An attacker with administrative login access can submit a crafted editid value to alter the structure of the executed SQL statement. This enables data extraction, authentication bypass through credential disclosure, and potential modification of pass records.

Root Cause

The root cause is improper neutralization of user-supplied input before its inclusion in a SQL query. The editid argument flows from the HTTP request into the SQL string through direct string concatenation. PHP's mysqli or mysql_* family of functions execute the resulting statement without binding parameters. This pattern is common in legacy PHP applications that build queries dynamically rather than using prepared statements with bound parameters.

Attack Vector

The attack is delivered over the network against the administrative interface of the application. An attacker requires low-privilege authentication to reach the vulnerable endpoint. Once authenticated, the attacker sends a request to /admin/edit-pass-detail.php with a manipulated editid value containing SQL syntax. Common exploitation techniques against this class of flaw include UNION-based extraction, boolean-based blind injection, and time-based blind injection. Public disclosure of the exploit lowers the barrier to weaponization. See the GitHub issue tracking this vulnerability for additional technical context.

No verified proof-of-concept code is published as part of this advisory. Refer to the VulDB entry #306593 for additional vulnerability metadata.

Detection Methods for CVE-2025-4113

Indicators of Compromise

  • HTTP requests to /admin/edit-pass-detail.php containing SQL meta-characters such as single quotes, UNION, SELECT, SLEEP(, or -- in the editid parameter.
  • Database error messages logged by PHP referencing syntax errors during execution of queries originating from edit-pass-detail.php.
  • Unusual outbound database query volume or response time spikes against the application's MySQL backend.
  • Unexpected modifications to administrator accounts or pass records without corresponding legitimate admin activity.

Detection Strategies

  • Deploy a Web Application Firewall (WAF) rule set that inspects the editid parameter on requests to /admin/edit-pass-detail.php and blocks SQL injection signatures.
  • Enable MySQL general query logging temporarily to capture malformed queries originating from the vulnerable endpoint.
  • Correlate web server access logs with database error logs to identify injection attempts that produced backend errors.
  • Review authentication logs for admin sessions that immediately precede anomalous requests to edit-pass-detail.php.

Monitoring Recommendations

  • Forward web server access logs and PHP error logs to a centralized log analytics platform for sustained inspection.
  • Alert on any request to /admin/edit-pass-detail.php containing URL-encoded SQL syntax patterns (%27, %20OR%20, %20UNION%20).
  • Monitor for new or modified rows in the administrator users table that do not align with documented change windows.

How to Mitigate CVE-2025-4113

Immediate Actions Required

  • Restrict network access to the /admin/ directory using IP allow-listing or VPN-gated access until a patched version is available.
  • Rotate all administrator passwords for the Curfew e-Pass Management System, assuming credential exposure may have occurred.
  • Deploy a WAF policy that blocks SQL injection payloads targeting the editid parameter.
  • Audit the application database for unauthorized modifications to pass records and user accounts.

Patch Information

At the time of publication, no vendor patch has been listed in the NVD references for CVE-2025-4113. Operators should monitor the PHPGurukul website for an updated release of the Curfew e-Pass Management System and apply it as soon as available. In the absence of an official fix, source-code remediation should replace dynamic SQL concatenation in edit-pass-detail.php with prepared statements using bound parameters.

Workarounds

  • Modify /admin/edit-pass-detail.php to validate that editid is strictly numeric before use, for example with intval() or filter_input(INPUT_GET, 'editid', FILTER_VALIDATE_INT).
  • Replace inline query construction with mysqli prepared statements binding editid as an integer parameter.
  • Disable or remove the Curfew e-Pass Management System if it is no longer in active operational use.
  • Place the application behind an authenticated reverse proxy that enforces additional access controls on administrative paths.
bash
# Example WAF rule (ModSecurity) blocking SQLi patterns on the vulnerable endpoint
SecRule REQUEST_URI "@beginsWith /admin/edit-pass-detail.php" \
  "id:1004113,phase:2,deny,status:403,log,msg:'CVE-2025-4113 SQLi attempt',\
   chain"
  SecRule ARGS:editid "@detectSQLi" \
    "t:none,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne