CVE-2025-7936 Overview
CVE-2025-7936 is a SQL injection vulnerability in the fuyang_lipengjun platform affecting commits up to ca9aceff6902feb7b0b6bf510842aea88430796a. The flaw exists in the queryPage function within com/platform/controller/ScheduleJobLogController.java. Attackers can manipulate the beanName and methodName arguments to inject arbitrary SQL statements. The vulnerability is remotely exploitable and requires only low-privilege authentication. The exploit details have been publicly disclosed. Because the project uses a rolling-release delivery model, no discrete patched version is published, complicating remediation tracking for downstream users.
Critical Impact
Authenticated remote attackers can inject SQL through the schedule job log query interface, exposing or modifying backend database contents.
Affected Products
- fuyang_lipengjun platform (rolling release up to commit ca9aceff6902feb7b0b6bf510842aea88430796a)
- Component: com/platform/controller/ScheduleJobLogController.java
- CPE: cpe:2.3:a:fuyang_lipengjun:platform:1.0.0:*:*:*:*:*:*:*
Discovery Timeline
- 2025-07-21 - CVE-2025-7936 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-7936
Vulnerability Analysis
The vulnerability is classified under [CWE-89] SQL Injection and [CWE-74] Improper Neutralization of Special Elements. The defect resides in the queryPage method of ScheduleJobLogController.java, which handles paginated queries against scheduled job execution logs. User-supplied beanName and methodName parameters are concatenated into a SQL statement without parameterization or proper escaping.
An authenticated attacker can submit crafted values that break out of the intended query context and append arbitrary SQL clauses. This allows extraction of arbitrary tables, modification of records, or enumeration of database metadata. The attack requires no user interaction and can be executed across the network against any reachable instance.
Root Cause
The root cause is direct string concatenation of HTTP request parameters into a SQL query executed by the MyBatis or JDBC layer. The beanName and methodName inputs feed an ORDER BY or WHERE clause that bypasses prepared statement protections. No allowlist or input sanitization is applied before query construction.
Attack Vector
The attack is network-reachable and requires low-privilege credentials on the admin portal. An attacker submits a POST or GET request to the schedule job log query endpoint with malicious values in beanName or methodName. The injected payload executes within the database engine context, returning data through the application response or enabling time-based blind extraction. Public disclosure of the exploit details increases the likelihood of automated scanning against exposed instances.
No verified proof-of-concept code is published in the official references. See the Gitee Issue Discussion and VulDB entry #317065 for additional technical context.
Detection Methods for CVE-2025-7936
Indicators of Compromise
- HTTP requests to schedule job log endpoints containing SQL meta-characters such as single quotes, UNION, SLEEP(, or -- within beanName or methodName parameters.
- Database error messages or unusually long response times tied to schedule job log queries.
- Unexpected outbound database queries originating from the application server during log retrieval operations.
Detection Strategies
- Inspect web server and application logs for parameter values containing SQL syntax tokens in requests to ScheduleJobLogController endpoints.
- Deploy web application firewall rules that flag injection patterns on the schedule job log query API.
- Enable database query logging and alert on anomalous queries originating from the affected controller.
Monitoring Recommendations
- Forward application, web server, and database telemetry to a centralized analytics platform for correlation of injection attempts.
- Baseline normal beanName and methodName values, then alert on deviations or high-entropy strings.
- Monitor for privilege changes or large data exports following suspicious queries against the platform database.
How to Mitigate CVE-2025-7936
Immediate Actions Required
- Restrict access to the platform administrative interface to trusted networks and authenticated administrators only.
- Audit recent application and database logs for evidence of exploitation against schedule job log endpoints.
- Rotate database credentials used by the application if exploitation is suspected.
Patch Information
The vendor follows a rolling-release model, and no discrete patched version is published. Track upstream commits at the project repository on Gitee and apply fixes that introduce parameterized queries or strict allowlisting on beanName and methodName inputs. Until an upstream fix is available, downstream maintainers should patch ScheduleJobLogController.java locally.
Workarounds
- Implement an allowlist filter that constrains beanName and methodName to alphanumeric identifiers matching known job class and method names.
- Place a web application firewall in front of the platform and block requests containing SQL injection signatures targeting the schedule job log API.
- Apply least-privilege principles to the application's database account to limit the impact of successful injection.
# Example WAF rule (ModSecurity) to block SQLi patterns on the affected endpoint
SecRule REQUEST_URI "@contains /sys/scheduleLog" \
"chain,id:1007936,phase:2,deny,status:403,msg:'CVE-2025-7936 SQLi attempt'"
SecRule ARGS:beanName|ARGS:methodName "@rx (?i)(union|select|sleep\(|--|;|/\*)" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

