CVE-2025-8163 Overview
CVE-2025-8163 is a SQL injection vulnerability in deerwms deer-wms-2 versions up to 3.3. The flaw affects the /system/role/list endpoint, where the params[dataScope] argument is concatenated into a SQL query without sanitization. Authenticated remote attackers can manipulate this parameter to execute arbitrary SQL statements against the backend database. The exploit details have been disclosed publicly, increasing the likelihood of opportunistic attacks against exposed instances. The vulnerability is tracked under [CWE-89] (SQL Injection) and [CWE-74] (Improper Neutralization of Special Elements).
Critical Impact
Authenticated attackers can inject arbitrary SQL through the params[dataScope] parameter at /system/role/list, leading to disclosure or modification of warehouse management data.
Affected Products
- deerwms deer-wms-2 versions up to and including 3.3
- Deployments exposing the /system/role/list administrative endpoint
- Web-facing warehouse management instances using the role listing module
Discovery Timeline
- 2025-07-25 - CVE-2025-8163 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-8163
Vulnerability Analysis
The vulnerability resides in the role listing handler exposed at /system/role/list. The handler accepts a params[dataScope] request argument that is incorporated into a backend SQL query without parameterization or input validation. An authenticated attacker can supply crafted SQL syntax in this parameter to alter query logic, exfiltrate database contents, or modify stored records.
The deer-wms-2 application is a warehouse management system, so the database typically contains inventory, order, user, and role data. Successful exploitation allows attackers to bypass role-based access control by reading or tampering with the sys_role and related tables. Because the entry point is network-accessible and only requires low-privilege authentication, exploitation can be automated against exposed instances.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The dataScope filter, which is intended to restrict role visibility, is appended directly into the WHERE clause rather than passed through a prepared statement or ORM binding. This pattern is common in MyBatis-style applications when developers use ${} substitution instead of #{} parameter binding.
Attack Vector
Exploitation requires network access to the deer-wms-2 web interface and a valid low-privilege session. The attacker issues a request to /system/role/list with a malicious payload embedded in params[dataScope]. The payload is reflected into the SQL query, allowing UNION-based extraction, boolean-based inference, or time-based blind injection. Public disclosure of the exploit details means proof-of-concept logic is available to attackers without prior research effort. See the Gitee Issue Report and VulDB entry #317577 for additional technical context.
Detection Methods for CVE-2025-8163
Indicators of Compromise
- HTTP requests to /system/role/list containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP, or comment sequences in the params[dataScope] parameter
- Unusual response time variance on the role listing endpoint indicative of time-based blind SQL injection
- Database errors or stack traces referencing the role mapper logged by the application server
- Unexpected reads against sys_role, sys_user, or sys_user_role tables from the application database user
Detection Strategies
- Deploy WAF or reverse proxy rules that inspect query and body parameters on /system/role/* endpoints for SQL injection patterns
- Enable database query logging and alert on anomalous UNION or INFORMATION_SCHEMA access originating from the deer-wms-2 service account
- Correlate authenticated session activity with parameter content to identify low-privilege users probing administrative endpoints
Monitoring Recommendations
- Forward application and database logs to a centralized analytics platform and build detections for SQL injection signatures targeting the affected route
- Track the volume of requests to /system/role/list per session and alert on outliers consistent with automated scanning
- Monitor for outbound data transfers from the database server that exceed normal baselines
How to Mitigate CVE-2025-8163
Immediate Actions Required
- Restrict access to the deer-wms-2 administrative interface to trusted networks or VPN users until a patched release is deployed
- Audit application logs since the published date of 2025-07-25 for evidence of exploitation against /system/role/list
- Rotate database credentials and review role and user tables for unauthorized modifications
Patch Information
At the time of NVD's last update on 2026-06-17, no vendor-supplied fixed version has been published in the referenced advisories. Track the upstream Gitee Issue Report for remediation updates and apply any subsequent release that replaces string concatenation with parameterized queries in the role mapper.
Workarounds
- Add a server-side allow-list filter that rejects non-alphanumeric characters in the params[dataScope] parameter before it reaches the application layer
- Place a WAF rule in blocking mode for SQL injection signatures on the /system/role/list route
- Revoke unnecessary database privileges from the deer-wms-2 service account so that injection cannot reach tables outside the application schema
- Disable or firewall the role listing endpoint if it is not required for operational workflows
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

