CVE-2025-50190 Overview
CVE-2025-50190 is an error-based SQL injection vulnerability [CWE-89] in Chamilo LMS, an open-source learning management system. The flaw exists in the OpenID authentication handler within /index.php, where the openid.assoc_handle GET parameter is concatenated directly into an SQL query without sanitization. Unauthenticated attackers can inject arbitrary SQL through this parameter to extract sensitive data from the underlying database. The issue affects all Chamilo LMS versions prior to 1.11.30 and has been patched upstream.
Critical Impact
Unauthenticated network-based SQL injection allowing extraction of user credentials, session data, and other confidential records from the Chamilo database.
Affected Products
- Chamilo LMS versions prior to 1.11.30
- Deployments using the OpenID authentication module in main/auth/openid/login.php
- Self-hosted Chamilo instances exposing /index.php to the network
Discovery Timeline
- 2026-03-02 - CVE-2025-50190 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2025-50190
Vulnerability Analysis
Chamilo LMS implements OpenID authentication through main/auth/openid/login.php. During signature validation, the application retrieves the OpenID association record from the openid_association table using the value of the openid.assoc_handle request parameter. The original implementation built this query using sprintf() with the raw user-supplied handle string, producing a classic error-based SQL injection sink. The vulnerability is reachable from the /index.php entry point without authentication, since the OpenID flow precedes session establishment.
Root Cause
The root cause is unsafe string interpolation into an SQL statement. The pre-patch code in main/auth/openid/login.php constructed the query directly from the HTTP parameter, bypassing Chamilo's parameterized Database::select() API. Single quotes and SQL metacharacters in openid.assoc_handle were not escaped, allowing query manipulation and conditional error-based extraction.
Attack Vector
An attacker submits a crafted GET request to /index.php carrying an OpenID response with a malicious openid.assoc_handle payload. The injected SQL is executed in the context of Chamilo's database user, returning data through error messages or boolean conditions. No credentials or user interaction are required.
// Vulnerable pattern (pre-1.11.30) in main/auth/openid/login.php
$openid_association = Database::get_main_table(TABLE_MAIN_OPENID_ASSOCIATION);
$sql = sprintf("SELECT * FROM $openid_association WHERE assoc_handle = '%s'", $response['openid.assoc_handle']);
$res = Database::query($sql);
$association = Database::fetch_object($res);
if ($association && isset($association->session_type)) {
// signature validation continues...
}
// Fixed pattern (1.11.30) using parameterized query
$association = Database::select(
'*',
$openid_association,
[
'where' => [
'assoc_handle = ?' => [$response['openid.assoc_handle']],
]
],
'first'
);
// Source: https://github.com/chamilo/chamilo-lms/commit/613eb19a0fac6dd49c233f32ad5428cd29d5a468
Detection Methods for CVE-2025-50190
Indicators of Compromise
- Requests to /index.php containing openid.assoc_handle with SQL metacharacters such as single quotes, UNION, SELECT, SLEEP(, or -- comments.
- Database error entries referencing the openid_association table or syntax errors near assoc_handle.
- Anomalous OpenID authentication traffic from IPs that have never previously authenticated.
- Sudden spikes in 500-series responses from /index.php correlated with OpenID parameters.
Detection Strategies
- Inspect web server access logs for openid.assoc_handle values that contain URL-encoded quotes (%27), boolean payloads (OR 1=1), or time-based functions.
- Enable database query logging and alert on errors originating from queries against TABLE_MAIN_OPENID_ASSOCIATION.
- Deploy a WAF rule that flags non-token-shaped openid.assoc_handle parameters, since legitimate handles are short opaque identifiers.
Monitoring Recommendations
- Forward Chamilo PHP and web logs to a centralized log platform and correlate OpenID parameter anomalies with authentication outcomes.
- Monitor for outbound database connections or large result sets immediately following OpenID requests.
- Track Chamilo version inventory and alert when any host reports a version below 1.11.30.
How to Mitigate CVE-2025-50190
Immediate Actions Required
- Upgrade Chamilo LMS to version 1.11.30 or later, which contains the parameterized query fix.
- If OpenID is unused, disable the OpenID authentication module in Chamilo configuration to remove the attack surface.
- Review web and database logs for prior exploitation attempts against openid.assoc_handle.
- Rotate database credentials and user session tokens if injection activity is suspected.
Patch Information
The fix is committed in chamilo-lms commit 613eb19 and released in Chamilo LMS v1.11.30. The patch replaces the unsafe sprintf()-based query with Chamilo's parameterized Database::select() helper and updates _openid_signature() to consume the result as an array. Full details are documented in GitHub Security Advisory GHSA-5296-jxrr-pfwj.
Workarounds
- Block external access to OpenID authentication endpoints at the reverse proxy until the upgrade is applied.
- Add a WAF signature rejecting openid.assoc_handle values that contain quotes, semicolons, or SQL keywords.
- Restrict the Chamilo database account to least-privilege SELECT, INSERT, and UPDATE on required tables only.
# Example nginx rule to block suspicious openid.assoc_handle values
if ($arg_openid_assoc_handle ~* "('|\"|--|;|union|select|sleep\(|benchmark\()") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
