CVE-2025-5384: Huayi-tec JeeWMS SQLi Vulnerability

CVE-2025-5384 Overview

A critical SQL injection vulnerability has been identified in JeeWMS, an open-source warehouse management system developed by Huayi-tec. The vulnerability exists in the CgAutoListController function accessible through the /cgAutoListController.do?datagrid endpoint. This flaw allows remote attackers with low-level authentication to inject malicious SQL commands, potentially compromising database confidentiality, integrity, and availability.

Critical Impact

Remote attackers can exploit this SQL injection vulnerability to extract sensitive data, modify database records, or disrupt warehouse management operations through the exposed endpoint.

Affected Products

• Huayi-tec JeeWMS (versions up to 20250504)
• JeeWMS rolling release versions prior to security patch

Discovery Timeline

• 2025-05-31 - CVE-2025-5384 published to NVD
• 2025-09-11 - Last updated in NVD database

Technical Details for CVE-2025-5384

Vulnerability Analysis

This SQL injection vulnerability (classified under CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) affects the CgAutoListController component within JeeWMS. The vulnerable endpoint /cgAutoListController.do?datagrid fails to properly sanitize user-supplied input before incorporating it into SQL queries, enabling injection attacks.

The vulnerability can be exploited remotely over the network without requiring complex attack chains. While authentication is required, only low-level privileges are necessary to initiate an attack. Successful exploitation can result in unauthorized access to database records, modification of warehouse inventory data, and potential disruption of warehouse management operations.

JeeWMS follows a rolling release model for continuous delivery, which means specific version details for affected and updated releases are not explicitly defined. Organizations should verify their installations against the latest available release.

Root Cause

The root cause of this vulnerability stems from insufficient input validation and improper neutralization of user-controlled parameters in the CgAutoListController function. When processing requests to the datagrid action, the application directly incorporates user input into SQL queries without adequate parameterization or sanitization, creating an injection point.

Attack Vector

The attack can be initiated remotely over the network by sending crafted HTTP requests to the /cgAutoListController.do?datagrid endpoint. An authenticated attacker with minimal privileges can manipulate query parameters to inject SQL commands that execute within the context of the database user.

The vulnerability allows attackers to:

• Extract sensitive warehouse and inventory data
• Modify or delete database records
• Potentially escalate privileges within the application
• Cause denial of service through resource-intensive queries

For technical details and proof-of-concept information, refer to the Gitee Issue Report.

Detection Methods for CVE-2025-5384

Indicators of Compromise

• Unusual or malformed HTTP requests to /cgAutoListController.do?datagrid containing SQL syntax characters (e.g., single quotes, UNION, SELECT statements)
• Database query logs showing unexpected or unauthorized queries originating from the JeeWMS application
• Anomalous database access patterns or unexpected data retrieval operations
• Error logs indicating SQL syntax errors that may result from injection attempts

Detection Strategies

• Deploy Web Application Firewalls (WAF) with SQL injection detection rules targeting the affected endpoint
• Implement application-level logging for all requests to /cgAutoListController.do and analyze for injection patterns
• Monitor database audit logs for queries containing concatenated user input or unusual UNION-based statements
• Use intrusion detection systems (IDS) configured with signatures for common SQL injection patterns

Monitoring Recommendations

• Enable verbose logging on the JeeWMS application server and review logs for suspicious activity
• Configure database monitoring to alert on queries with unusual execution times or data access volumes
• Implement real-time alerting for requests containing SQL injection keywords targeting the vulnerable endpoint
• Establish baseline metrics for normal database query patterns to identify anomalous behavior

How to Mitigate CVE-2025-5384

Immediate Actions Required

• Update JeeWMS to the latest rolling release version that addresses this vulnerability
• Implement network-level restrictions to limit access to the /cgAutoListController.do endpoint to trusted users only
• Deploy a Web Application Firewall with SQL injection protection rules as an interim measure
• Review and audit existing database access logs for signs of prior exploitation

Patch Information

JeeWMS uses a rolling release model for continuous delivery, which means traditional version-based patching information is not available. Organizations should:

1. Monitor the official Gitee repository for updates addressing this vulnerability
2. Pull the latest version of JeeWMS from the official repository
3. Review the VulDB entry for additional technical details and updates

Workarounds

• Restrict network access to the vulnerable endpoint using firewall rules or access control lists until a patch can be applied
• Implement input validation at the reverse proxy or load balancer level to filter malicious SQL injection patterns
• Temporarily disable the CgAutoListController functionality if it is not critical to warehouse operations
• Apply database-level security by using read-only database accounts for the JeeWMS application where possible

# Example: Block access to vulnerable endpoint using nginx
location /cgAutoListController.do {
    # Restrict access to trusted IP addresses only
    allow 192.168.1.0/24;
    deny all;
    
    # Additional security headers
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
}