CVE-2025-62179 Overview
CVE-2025-62179 is a SQL injection vulnerability in WeGIA, an open source web manager for institutions targeting Portuguese-language users. The flaw resides in the /html/funcionario/cadastro_funcionario_pessoa_existente.php endpoint, specifically in handling of the cpf parameter. Attackers with authenticated access can inject arbitrary SQL commands into the backend database. Successful exploitation compromises database confidentiality, integrity, and availability. The issue affects all WeGIA releases prior to version 3.5.1 and is tracked under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Authenticated attackers can execute arbitrary SQL queries against the WeGIA database, enabling data theft, modification, and destruction across institutional records.
Affected Products
- WeGIA versions prior to 3.5.1
- Component: wegia:wegia
- Vulnerable endpoint: /html/funcionario/cadastro_funcionario_pessoa_existente.php
Discovery Timeline
- 2025-10-13 - CVE-2025-62179 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-62179
Vulnerability Analysis
The vulnerability exists in the employee registration workflow used to associate an existing person with a funcionario (employee) record. The cpf parameter (Brazilian taxpayer identifier) is passed directly into a SQL query without parameterized binding or input sanitization. An attacker who supplies crafted SQL syntax through this parameter alters query semantics. The database engine executes the injected payload with the privileges of the application database user.
The vulnerability requires high privileges to reach the endpoint, but no user interaction is needed once authenticated. Impact spans confidentiality, integrity, and availability of stored records, including personnel and financial data managed by the institution.
Root Cause
The root cause is concatenation of untrusted HTTP request data into a SQL statement inside cadastro_funcionario_pessoa_existente.php. The endpoint does not use prepared statements or escape the cpf value before query execution. Any string containing SQL metacharacters reaches the database driver intact.
Attack Vector
An authenticated attacker submits a crafted POST or GET request to the vulnerable endpoint with a malicious cpf value. The payload can terminate the original query and append additional statements, extract data via UNION-based techniques, or trigger time-based blind extraction. Network reachability to the WeGIA web interface is sufficient.
// Patch from upstream commit 885972c (sanitized excerpt)
<?php
-
include_once("conexao.php");
session_start();
if (!isset($_SESSION['usuario'])) {
Source: WeGIA commit 885972c
The upstream fix in commit 885972c reworks input handling in the affected file. Refer to the GitHub Security Advisory GHSA-x36x-x5j4-wfjf for the complete patch and additional context.
Detection Methods for CVE-2025-62179
Indicators of Compromise
- HTTP requests to /html/funcionario/cadastro_funcionario_pessoa_existente.php containing SQL metacharacters such as ', --, UNION, SLEEP(, or INFORMATION_SCHEMA in the cpf parameter.
- Unusual database error messages logged by PHP or the database server tied to the employee registration flow.
- Anomalous read volume from the WeGIA database user immediately following requests to the vulnerable endpoint.
Detection Strategies
- Deploy web application firewall rules that inspect the cpf parameter for SQL injection patterns on the affected URL.
- Enable database query logging and alert on statements containing UNION SELECT, sleep functions, or queries referencing system tables originating from the WeGIA service account.
- Correlate authenticated WeGIA session activity with sudden spikes in row reads or schema introspection queries.
Monitoring Recommendations
- Forward WeGIA web server and PHP error logs to a centralized logging pipeline for retention and search.
- Monitor for repeated 500 responses or query timeouts on cadastro_funcionario_pessoa_existente.php, which often indicate blind SQL injection probing.
- Track outbound traffic from the application host for unexpected data exfiltration following suspicious requests.
How to Mitigate CVE-2025-62179
Immediate Actions Required
- Upgrade WeGIA to version 3.5.1 or later, which contains the fix from commit 885972c.
- Audit existing employee and person records for unexpected modifications introduced through the vulnerable endpoint.
- Rotate database credentials used by the WeGIA application if exploitation is suspected.
- Review web server access logs for prior requests matching the indicators listed above.
Patch Information
The vulnerability is fixed in WeGIA version 3.5.1. The maintainers published the corresponding advisory GHSA-x36x-x5j4-wfjf and the remediating change in commit 885972c. Administrators should apply the upstream release rather than backporting partial changes.
Workarounds
- Restrict access to /html/funcionario/ paths to trusted administrative networks until the patch is applied.
- Add a WAF rule that rejects requests where the cpf parameter does not match the expected numeric Brazilian taxpayer ID format.
- Reduce the WeGIA database account privileges so it cannot read or modify tables outside the application schema.
# Example ModSecurity rule enforcing numeric-only cpf parameter
SecRule ARGS:cpf "!@rx ^[0-9]{11}$" \
"id:1062179,phase:2,deny,status:400,\
msg:'CVE-2025-62179: Invalid cpf parameter format',\
tag:'sqli',tag:'wegia'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

