Skip to main content
CVE Vulnerability Database

CVE-2025-8161: Deerwms Deer-wms-2 SQL Injection Flaw

CVE-2025-8161 is a critical SQL injection vulnerability in Deerwms Deer-wms-2 affecting versions up to 3.3. Attackers can exploit the /system/role/export endpoint remotely. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-8161 Overview

CVE-2025-8161 is a SQL injection vulnerability affecting deerwms deer-wms-2 warehouse management system through version 3.3. The flaw resides in the /system/role/export endpoint, where the params[dataScope] argument is passed to a backend SQL query without proper sanitization. An authenticated remote attacker with low privileges can manipulate this parameter to inject arbitrary SQL statements. The exploit details have been publicly disclosed, increasing the risk of opportunistic attacks against exposed deployments. The vulnerability is classified under CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output).

Critical Impact

Remote authenticated attackers can inject SQL through the role export functionality, potentially exposing or modifying warehouse management data.

Affected Products

  • deerwms deer-wms-2 versions up to and including 3.3
  • Deployments exposing the /system/role/export endpoint
  • Instances accessible to low-privileged authenticated users

Discovery Timeline

  • 2025-07-25 - CVE-2025-8161 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8161

Vulnerability Analysis

The vulnerability exists in the role export handler at /system/role/export within the deer-wms-2 warehouse management application. The endpoint accepts a params[dataScope] argument that is incorporated into a backend SQL query without parameterization or input validation. Because the value flows directly into SQL syntax, an attacker can break out of the intended query context and append arbitrary SQL clauses. The EPSS score is 0.438% with a percentile of 35.035, indicating a moderate but non-negligible likelihood of exploitation activity given public disclosure.

Root Cause

The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The application concatenates the user-supplied dataScope value into a dynamic SQL statement rather than binding it as a parameter. Because dataScope is often used to construct WHERE clause fragments controlling row-level access, it is rendered raw into the query, enabling injection of additional predicates, UNION selects, or stacked statements depending on the backing database driver.

Attack Vector

The attack is performed remotely over the network against an authenticated session with low privileges. An attacker submits a crafted HTTP request to /system/role/export containing a malicious params[dataScope] payload. The injected SQL executes within the application's database context, allowing extraction of records, enumeration of schema metadata, or modification of data depending on database permissions and engine features.

No verified public proof-of-concept code is available. Refer to the Gitee Issue Report and VulDB entry 317575 for further technical context.

Detection Methods for CVE-2025-8161

Indicators of Compromise

  • HTTP requests to /system/role/export containing SQL metacharacters such as single quotes, comment markers (--, /*), UNION, SELECT, or SLEEP within the params[dataScope] parameter.
  • Unexpected database errors or extended query latency originating from the role export handler.
  • Authenticated low-privilege accounts accessing /system/role/export outside of normal administrative workflows.

Detection Strategies

  • Deploy web application firewall (WAF) rules that inspect the params[dataScope] parameter for SQL injection patterns on the /system/role/export route.
  • Enable database query logging and alert on unusual INFORMATION_SCHEMA, UNION SELECT, or stacked-query patterns originating from the application service account.
  • Correlate authentication events with role export requests to identify anomalous use of the endpoint by non-administrative users.

Monitoring Recommendations

  • Forward application access logs and database audit logs to a centralized SIEM for retention and correlation.
  • Establish baselines for normal request volume and parameter shape on /system/role/export and alert on deviations.
  • Monitor for outbound data transfers from the application host immediately following requests to the affected endpoint.

How to Mitigate CVE-2025-8161

Immediate Actions Required

  • Restrict network access to /system/role/export to trusted administrative networks until a fix is applied.
  • Audit existing user accounts and revoke unnecessary low-privilege access that could be leveraged to reach the endpoint.
  • Review database audit logs for prior anomalous activity targeting the role export handler.

Patch Information

At the time of NVD publication, no official vendor patch is listed for deer-wms-2. Track the Gitee Issue Report for upstream fix availability and apply the vendor update once released. The project is open source, so organizations running it should monitor the repository for commits referencing dataScope sanitization or parameterized queries.

Workarounds

  • Apply a reverse proxy or WAF rule that blocks SQL metacharacters in the params[dataScope] parameter on the /system/role/export route.
  • Modify the application to use parameterized queries or an ORM binding for the dataScope value, if local patching is feasible.
  • Restrict the database account used by deer-wms-2 to the minimum privileges required, disabling stacked queries and FILE privileges where possible.
bash
# Example NGINX rule to block suspicious dataScope payloads
location /system/role/export {
    if ($arg_params ~* "(union|select|sleep|--|/\*|;)") {
        return 403;
    }
    proxy_pass http://deerwms_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.