CVE-2025-8127 Overview
CVE-2025-8127 is a SQL injection vulnerability in deerwms deer-wms-2 versions up to 3.3. The flaw resides in the /system/user/list endpoint, where the params[dataScope] argument is concatenated into a database query without proper sanitization [CWE-89]. Attackers can exploit the issue remotely over the network with low-privileged authenticated access. The exploit details have been publicly disclosed, increasing the likelihood of opportunistic attempts against exposed instances. The vulnerability carries a CVSS 4.0 score of 2.1, reflecting limited confidentiality, integrity, and availability impact on the affected component.
Critical Impact
Authenticated remote attackers can manipulate the params[dataScope] parameter on /system/user/list to execute arbitrary SQL queries against the backend database.
Affected Products
- deerwms deer-wms-2 versions up to and including 3.3
Discovery Timeline
- 2025-07-25 - CVE-2025-8127 published to the National Vulnerability Database (NVD)
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-8127
Vulnerability Analysis
The vulnerability affects the user listing functionality exposed at /system/user/list in deer-wms-2, an open-source warehouse management system. The application accepts a params[dataScope] value from the client and incorporates it into a SQL statement used to filter user records based on data scope permissions. Because the parameter is not parameterized or sanitized, an attacker can inject SQL fragments that alter the query logic. The condition is classified under [CWE-74] (Injection) and [CWE-89] (SQL Injection).
Exploitation requires network access and low privileges, but no user interaction. Successful injection allows attackers to read or alter records the application accesses, depending on database user permissions. The EPSS score is approximately 0.22%, placing it in the 45th percentile for exploitation likelihood.
Root Cause
The root cause is the direct concatenation of the params[dataScope] request parameter into a SQL WHERE clause without prepared statements, parameter binding, or allowlist validation. Data scope filters commonly inject SQL fragments by design in legacy MyBatis-based applications, which encourages unsafe interpolation when developers use ${} substitution instead of #{} parameter binding.
Attack Vector
An authenticated attacker submits a crafted HTTP request to /system/user/list with a malicious params[dataScope] value. The injected SQL is executed by the backend database engine, returning data outside the user's intended scope or modifying query behavior. The exploit was disclosed publicly through the project's Gitee issue tracker and VulDB submission, and may be reused without modification.
For technical specifics, refer to the Gitee Issue Discussion and the VulDB ID #317512 entry.
Detection Methods for CVE-2025-8127
Indicators of Compromise
- HTTP POST or GET requests to /system/user/list containing SQL metacharacters (', --, UNION, SELECT, SLEEP) in the params[dataScope] parameter.
- Database error messages or unusually long response times correlating with requests to the user listing endpoint.
- Unexpected access to user records outside an account's normal data scope assignment.
Detection Strategies
- Deploy Web Application Firewall (WAF) rules that inspect the params[dataScope] parameter for SQL injection signatures.
- Enable database query logging and alert on syntactically anomalous queries originating from the deer-wms-2 application user.
- Correlate application access logs with database audit logs to identify scope violations following requests to /system/user/list.
Monitoring Recommendations
- Monitor authentication logs for newly created or compromised low-privilege accounts attempting to enumerate the user list endpoint.
- Track outbound database connections from the application server for volumetric anomalies indicative of data exfiltration.
- Forward web server and database logs to a centralized analytics platform to support retrospective hunting once exploit signatures are known.
How to Mitigate CVE-2025-8127
Immediate Actions Required
- Restrict network access to deer-wms-2 administrative endpoints, including /system/user/list, to trusted internal networks only.
- Rotate credentials for any low-privilege application accounts that could be used to reach the vulnerable endpoint.
- Review database user permissions assigned to the application and apply least-privilege principles to limit injection impact.
Patch Information
At the time of publication, no vendor patch is referenced in the NVD entry. Track remediation status through the Gitee Issue Discussion and apply updated builds as soon as the maintainers publish fixes. Until a patch is available, treat the affected versions as actively vulnerable.
Workarounds
- Place the deer-wms-2 application behind a WAF with rules blocking SQL injection patterns in the params[dataScope] parameter.
- Implement a reverse proxy filter that rejects requests where params[dataScope] contains characters outside an expected allowlist of digits and commas.
- Disable or remove unused application accounts to reduce the pool of credentials usable for authenticated exploitation.
# Example NGINX rule to block suspicious dataScope values
location /system/user/list {
if ($arg_params\[dataScope\] ~* "(select|union|sleep|--|'|\")") {
return 403;
}
proxy_pass http://deer-wms-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

