Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67102

CVE-2025-67102: Jorani Jorani SQL Injection Vulnerability

CVE-2025-67102 is a SQL injection vulnerability in Jorani Jorani up to v1.0.4 that allows authenticated attackers to execute arbitrary SQL commands. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-67102 Overview

CVE-2025-67102 is a SQL injection vulnerability affecting Jorani, an open-source leave and absence management application. The flaw resides in the alldayoffs feature and stems from improper sanitization of the entity parameter. An authenticated attacker can inject arbitrary SQL commands into backend database queries through this parameter. The vulnerability affects Jorani versions up to and including v1.0.4. Successful exploitation can expose sensitive HR data, modify records, or disrupt application availability. The issue is categorized under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.

Critical Impact

Authenticated attackers can execute arbitrary SQL commands against the Jorani database via the entity parameter, exposing employee leave records and credentials.

Affected Products

  • Jorani versions up to and including v1.0.4
  • Jorani alldayoffs feature endpoint
  • Deployments using the entity parameter in leave management queries

Discovery Timeline

  • 2026-02-17 - CVE-2025-67102 published to NVD
  • 2026-04-03 - Last updated in NVD database

Technical Details for CVE-2025-67102

Vulnerability Analysis

The vulnerability exists in the alldayoffs feature of Jorani, a PHP-based leave management system. The application accepts an entity parameter from authenticated users and incorporates it into a SQL query without proper parameterization or input validation. Because the parameter value is concatenated directly into the query string, an attacker can break out of the intended query context and append arbitrary SQL syntax.

Exploitation requires valid authentication, but Jorani is typically deployed for broad employee access. This lowers the practical barrier for an insider or an attacker who has compromised a low-privilege HR account. The resulting database access can disclose employee personally identifiable information (PII), authentication hashes, and organizational structure data stored within Jorani.

Root Cause

The root cause is improper neutralization of user-supplied input in the entity parameter [CWE-89]. The application fails to use parameterized queries or prepared statements when constructing the SQL query for the alldayoffs endpoint. Input filtering routines do not strip or escape SQL metacharacters before query execution.

Attack Vector

The attack is delivered over the network against a Jorani web instance. An authenticated user sends a crafted HTTP request to the alldayoffs endpoint with a malicious payload in the entity parameter. The injected SQL is parsed and executed by the backend database engine. Refer to the Helx Blog Advisory on Jorani and the GitHub Jorani Repository for additional technical context.

Detection Methods for CVE-2025-67102

Indicators of Compromise

  • HTTP requests to alldayoffs endpoints containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP within the entity parameter
  • Unexpected database errors logged by the Jorani application referencing malformed queries
  • Unusual outbound database response sizes or query durations originating from the Jorani web tier
  • Authentication events followed immediately by anomalous query volume from the same session

Detection Strategies

  • Inspect web server access logs for entity parameter values containing SQL syntax or URL-encoded equivalents (%27, %20OR%20)
  • Enable database query logging and alert on queries originating from the Jorani service account that include UNION, INFORMATION_SCHEMA, or stacked statements
  • Deploy a web application firewall (WAF) rule set such as OWASP CRS to flag SQL injection signatures targeting Jorani endpoints

Monitoring Recommendations

  • Correlate authenticated session activity with sudden spikes in database read volume
  • Monitor for failed query syntax errors in MySQL or MariaDB logs tied to the Jorani database user
  • Track HTTP 500 responses from alldayoffs requests, which may indicate injection probing

How to Mitigate CVE-2025-67102

Immediate Actions Required

  • Restrict network access to the Jorani application to trusted internal users until a patched release is deployed
  • Audit Jorani user accounts and disable inactive or unnecessary authenticated users
  • Review database and application logs for prior exploitation attempts referencing the entity parameter
  • Rotate credentials for the Jorani database service account and any user accounts whose hashes may have been exposed

Patch Information

No vendor-issued patch is referenced in the NVD entry at publication. Monitor the GitHub Jorani Repository for releases beyond v1.0.4 that address the SQL injection in the alldayoffs feature. Apply the fixed version once it becomes available.

Workarounds

  • Place a WAF in front of Jorani and block requests containing SQL syntax in the entity parameter
  • Configure the Jorani database account with least-privilege permissions, removing rights to sensitive tables that the alldayoffs feature does not require
  • Apply network-level access controls to limit exposure of the Jorani interface to VPN or SSO-gated users only
bash
# Example WAF rule (ModSecurity) to block SQLi patterns in the entity parameter
SecRule ARGS:entity "@detectSQLi" \
    "id:1670102,phase:2,deny,status:403,\
    msg:'Possible SQLi in Jorani alldayoffs entity parameter (CVE-2025-67102)',\
    log,tag:'CVE-2025-67102'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.