CVE-2025-7934 Overview
CVE-2025-7934 is a SQL injection vulnerability in the fuyang_lipengjun platform, an open-source Java-based application distributed through Gitee. The flaw resides in the queryPage function of platform-schedule/src/main/java/com/platform/controller/ScheduleJobController.java. Attackers can manipulate the beanName parameter to inject arbitrary SQL statements. The vulnerability is remotely exploitable and requires only low-privileged authentication. Because the project does not use formal versioning, the affected and unaffected releases cannot be definitively enumerated. The exploit details have been disclosed publicly through VulDB. This vulnerability is classified under [CWE-89] (SQL Injection) and [CWE-74] (Improper Neutralization of Special Elements).
Critical Impact
An authenticated remote attacker can inject SQL through the beanName parameter in the scheduled job controller, leading to unauthorized read, modification, or disclosure of backend database contents.
Affected Products
- fuyang_lipengjun platform (up to commit ca9aceff6902feb7b0b6bf510842aea88430796a)
- platform-schedule module containing ScheduleJobController.java
- All deployments using the unversioned rolling release distributed via Gitee
Discovery Timeline
- 2025-07-21 - CVE-2025-7934 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-7934
Vulnerability Analysis
The vulnerability exists in the queryPage method of ScheduleJobController.java within the platform-schedule module. The controller accepts a beanName request parameter intended to filter scheduled jobs by their Spring bean identifier. The parameter value is concatenated into a SQL query without parameterized binding or input sanitization. An authenticated attacker can submit crafted beanName values containing SQL metacharacters to alter the query structure. Successful exploitation leads to disclosure or manipulation of arbitrary records accessible to the application's database account.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command, mapped to [CWE-89]. The queryPage handler passes the user-supplied beanName directly into a SQL statement constructed via string concatenation rather than using prepared statements or MyBatis parameter binding with #{} placeholders. This pattern aligns with [CWE-74] for improper input neutralization in downstream components.
Attack Vector
The attack is initiated remotely over the network against the schedule management endpoint. The attacker must hold a valid low-privileged session to reach the controller. A typical exploitation request submits a beanName value containing payloads such as ' UNION SELECT ...-- or boolean-based predicates to infer or extract database content. No user interaction is required beyond the authenticated HTTP request.
No verified proof-of-concept code is published in the referenced advisories. Technical details and submission metadata are tracked in the VulDB entry #317063 and the Gitee issue ICLILS.
Detection Methods for CVE-2025-7934
Indicators of Compromise
- HTTP requests to schedule job endpoints containing SQL metacharacters such as ', --, UNION, SLEEP(, or OR 1=1 in the beanName parameter.
- Database error messages or stack traces referencing ScheduleJobController.queryPage in application logs.
- Unusual outbound queries from the application's database user against tables outside the schedule schema.
Detection Strategies
- Inspect web access logs and WAF telemetry for requests targeting /schedule/* paths carrying suspicious beanName values.
- Enable SQL query logging on the backend database and correlate queries containing concatenated beanName substrings against application sessions.
- Deploy database activity monitoring rules that flag UNION-based or time-delay queries originating from the application service account.
Monitoring Recommendations
- Forward application, web server, and database audit logs to a centralized analytics platform for correlation against injection signatures.
- Alert on spikes in HTTP 500 responses from the platform-schedule module, which often indicate injection probing.
- Track authenticated user accounts that issue anomalous volumes of requests to administrative scheduling endpoints.
How to Mitigate CVE-2025-7934
Immediate Actions Required
- Restrict network exposure of the platform-schedule module to trusted administrative networks only.
- Audit existing accounts and revoke unnecessary access to scheduled job management functionality.
- Review database privileges granted to the application user and enforce least privilege on schedule-related schemas.
Patch Information
No official patch or fixed commit has been published by the maintainer at the time of this writing. Because the fuyang_lipengjun/platform project does not use formal release versioning, downstream operators must track the upstream repository directly. Refer to the Gitee issue ICLILS for upstream status. Operators should refactor the queryPage method to use parameterized queries via MyBatis #{beanName} bindings or PreparedStatement placeholders, and validate beanName against an allowlist of expected bean identifiers.
Workarounds
- Deploy a web application firewall rule that rejects requests where beanName contains SQL metacharacters or exceeds a strict character allowlist.
- Apply input validation at a reverse proxy to constrain beanName to alphanumeric characters and a limited set of separators.
- Disable or remove the schedule management endpoint if it is not required for production operations.
# Example NGINX rule rejecting SQL metacharacters in the beanName parameter
if ($arg_beanName ~* "('|\"|--|;|/\*|union|select|sleep\(|or +1=1)") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

