CVE-2025-64488 Overview
CVE-2025-64488 is a SQL injection vulnerability [CWE-89] in SuiteCRM, an open-source Customer Relationship Management (CRM) application maintained by SalesAgility. The flaw allows an authenticated attacker to craft a malicious call_id parameter that alters SQL query logic or injects arbitrary SQL statements. Successful exploitation leads to unauthorized data access, data exfiltration, and complete database compromise. The vulnerability affects SuiteCRM versions 7.14.7 and earlier, as well as 8.0.0-beta.1 through 8.9.0. SalesAgility addressed the issue in versions 7.14.8 and 8.9.1.
Critical Impact
Authenticated attackers can inject arbitrary SQL through the call_id parameter, enabling full database compromise and exfiltration of sensitive CRM data.
Affected Products
- SuiteCRM versions 7.14.7 and below
- SuiteCRM versions 8.0.0-beta.1 through 8.9.0
- SalesAgility SuiteCRM (fixed in 7.14.8 and 8.9.1)
Discovery Timeline
- 2025-11-08 - CVE-2025-64488 published to NVD
- 2025-11-25 - Last updated in NVD database
Technical Details for CVE-2025-64488
Vulnerability Analysis
The vulnerability resides in the SuiteCRM API V8 OAuth2 token handling and middleware components. Specifically, the call_id parameter processed by ParamsMiddleware.php and the AccessTokenRepository.php repository was concatenated into SQL queries without proper sanitization or parameterization. An attacker submitting a crafted call_id value can break out of the intended query context. This enables manipulation of WHERE clauses, UNION-based extraction, or boolean-based blind injection techniques against the underlying database.
The weakness is classified as Improper Neutralization of Special Elements used in an SQL Command [CWE-89]. Because SuiteCRM stores customer records, account credentials, and business correspondence, successful exploitation has direct confidentiality and integrity consequences.
Root Cause
The root cause is the absence of input validation and parameter binding when the call_id value flows from API request parameters into SQL execution. The middleware accepted attacker-controlled input and passed it to query construction without enforcing a strict type or format. The patch introduces a RuntimeException import in ParamsMiddleware.php and a BeanFactory reference in AccessTokenRepository.php, indicating tighter validation and safer lookups during token retrieval.
Attack Vector
Exploitation requires network access to the SuiteCRM API endpoint and low-level privileges, as the attacker must reach the OAuth2 token middleware. No user interaction is required. The attacker submits a malicious API request containing a manipulated call_id value, which is then parsed and used in downstream SQL operations.
// Patch excerpt: public/legacy/Api/V8/Middleware/ParamsMiddleware.php
use Api\V8\Param\BaseParam;
use Exception;
use LoggerManager;
+use RuntimeException;
use Slim\Http\Request;
use Slim\Http\Response;
use Api\V8\BeanDecorator\BeanManager;
Source: SuiteCRM-Core commit 30277cf
// Patch excerpt: public/legacy/Api/V8/OAuth2/Repository/AccessTokenRepository.php
use Api\V8\BeanDecorator\BeanManager;
use Api\V8\OAuth2\Entity\AccessTokenEntity;
+use BeanFactory;
use DateTime;
use InvalidArgumentException;
use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
Source: SuiteCRM commit 40da284
The patches introduce stricter exception handling and bean-based record retrieval, replacing string-concatenated SQL access patterns with safer abstractions.
Detection Methods for CVE-2025-64488
Indicators of Compromise
- API requests to OAuth2 token endpoints containing SQL metacharacters such as single quotes, UNION, SELECT, or comment sequences (--, /*) in the call_id parameter.
- Unusual database query patterns originating from the SuiteCRM application user, including queries against users, accounts, or oauth2tokens tables outside normal application flows.
- Web server access logs showing repeated requests to /Api/V8/ endpoints from a single source with varying call_id payloads.
Detection Strategies
- Inspect SuiteCRM web server logs for malformed or oversized call_id parameter values in API requests.
- Enable database query logging and alert on syntax errors or unexpected UNION operations executed by the SuiteCRM service account.
- Deploy a Web Application Firewall (WAF) rule set that flags SQL injection signatures targeting /Api/V8/OAuth2/ paths.
Monitoring Recommendations
- Correlate authentication events with subsequent database read volume to identify exfiltration attempts following successful injection.
- Monitor for new or unexpected OAuth2 access tokens being created or queried outside business hours.
- Track outbound network traffic from the SuiteCRM host for large transfers that may indicate database exfiltration.
How to Mitigate CVE-2025-64488
Immediate Actions Required
- Upgrade SuiteCRM to version 7.14.8 or 8.9.1 immediately to remediate the SQL injection vector.
- Audit recent API request logs for suspicious call_id values and investigate any anomalies prior to patching.
- Rotate OAuth2 client secrets and invalidate active access tokens after upgrading.
- Review database accounts used by SuiteCRM and enforce least-privilege permissions to limit the blast radius of any future injection.
Patch Information
SalesAgility released fixed versions of SuiteCRM addressing CVE-2025-64488. Apply version 7.14.8 for the 7.x branch or 8.9.1 for the 8.x branch. Patch details are available in the GitHub Security Advisory GHSA-5v53-v44q-ww2c, the SuiteCRM-Core commit, and the SuiteCRM 7.14.8 release commit.
Workarounds
- Restrict access to the SuiteCRM API V8 endpoints to trusted networks or VPN-only access until patching is complete.
- Deploy a WAF rule that blocks requests containing SQL metacharacters in the call_id parameter.
- Disable unused OAuth2 client registrations to reduce the attacker surface against the token middleware.
# Example WAF rule (ModSecurity) to block SQL metacharacters in call_id
SecRule ARGS:call_id "@rx (['\"]|--|/\*|\bUNION\b|\bSELECT\b)" \
"id:1006448,phase:2,deny,status:403,log,\
msg:'Possible SQLi in SuiteCRM call_id parameter (CVE-2025-64488)'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

