CVE-2025-8162 Overview
CVE-2025-8162 is a SQL injection vulnerability in deerwms deer-wms-2 versions up to 3.3. The flaw resides in the /system/dept/list endpoint, where the params[dataScope] argument is incorporated into a database query without proper sanitization. Authenticated remote attackers can manipulate this parameter to inject arbitrary SQL statements against the backing database. The exploit details have been disclosed publicly, increasing the likelihood of opportunistic abuse against exposed instances. The vulnerability is categorized under [CWE-89] (SQL Injection) and [CWE-74] (Improper Neutralization of Special Elements).
Critical Impact
Authenticated attackers can inject SQL via the params[dataScope] parameter on /system/dept/list, potentially exposing or modifying warehouse management data.
Affected Products
- deerwms deer-wms-2 versions up to and including 3.3
- Deployments exposing the /system/dept/list endpoint
- Installations relying on the default department listing controller
Discovery Timeline
- 2025-07-25 - CVE-2025-8162 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-8162
Vulnerability Analysis
The vulnerability affects the department listing functionality reachable at /system/dept/list in deer-wms-2, an open-source warehouse management system. The endpoint accepts a params[dataScope] parameter that is concatenated into a SQL query string rather than parameterized. An authenticated attacker with low privileges can submit crafted input that alters query semantics, enabling data extraction, boolean-based blind injection, or potentially destructive operations depending on database account permissions.
The issue is publicly documented through the Gitee Issue Report and VulDB entry 317576. Public disclosure of the exploit technique lowers the barrier for attackers to weaponize the flaw against unpatched deployments.
Root Cause
The root cause is improper neutralization of special characters in the dataScope field within the params map. Frameworks such as MyBatis are vulnerable when developers use ${} substitution instead of #{} parameter binding. The dataScope value is typically used to construct dynamic SQL fragments for row-level permission filtering, making it a natural sink for direct string interpolation.
Attack Vector
The attack is launched over the network against an authenticated session. An attacker submits a POST or GET request to /system/dept/list with a malicious payload in params[dataScope], such as an OR 1=1 clause or a UNION SELECT statement, to retrieve arbitrary table contents or enumerate the database schema. No user interaction is required beyond submitting the crafted request.
No verified proof-of-concept code is available. Refer to the VulDB submission #619697 for additional context.
Detection Methods for CVE-2025-8162
Indicators of Compromise
- HTTP requests to /system/dept/list containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP, or comment sequences in the params[dataScope] field
- Database error messages or unusually large response sizes returned from the department listing endpoint
- Authenticated sessions issuing repeated /system/dept/list requests with varied payloads, indicative of injection probing
Detection Strategies
- Inspect application and web server logs for params[dataScope] values that deviate from the expected enumerated set (for example 1, 2, 3, 4, 5)
- Deploy a web application firewall rule set that flags SQL injection signatures targeting the /system/dept/list URI
- Enable database query logging and alert on anomalous query structures originating from the deer-wms-2 application user
Monitoring Recommendations
- Correlate authentication events with subsequent /system/dept/list requests to identify low-privilege accounts probing the endpoint
- Monitor for unexpected outbound data flows from the database server that could indicate exfiltration through blind injection
- Track schema enumeration patterns such as references to information_schema or sys tables in query logs
How to Mitigate CVE-2025-8162
Immediate Actions Required
- Restrict network access to deer-wms-2 administrative endpoints to trusted management networks only
- Audit account inventories and disable unused low-privilege accounts that could be leveraged to reach the vulnerable endpoint
- Apply least privilege to the database account used by deer-wms-2, removing FILE, DROP, and unnecessary write permissions
Patch Information
No official patched release is referenced in the NVD record at the time of publication. Monitor the deerwms Gitee repository for upstream fixes and review the project commit history for changes to the department listing controller and the underlying MyBatis mapper that handles dataScope.
Workarounds
- Modify the relevant MyBatis mapper to replace ${dataScope} interpolation with #{dataScope} parameter binding, or validate the value against a strict allow-list before query construction
- Place a reverse proxy or WAF in front of deer-wms-2 to filter SQL metacharacters and known injection payloads targeting /system/dept/list
- Disable or remove the department listing feature if it is not required for production workflows
# Example WAF rule (ModSecurity) blocking SQLi patterns on the vulnerable endpoint
SecRule REQUEST_URI "@beginsWith /system/dept/list" \
"phase:2,deny,status:403,id:1008162,\
chain,msg:'CVE-2025-8162 SQLi attempt on dataScope'"
SecRule ARGS:'params[dataScope]' "@rx (?i)(union|select|sleep|--|/\*|;)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

