Skip to main content
CVE Vulnerability Database

CVE-2025-8163: Deerwms Deer-wms-2 SQL Injection Flaw

CVE-2025-8163 is a critical SQL injection vulnerability in Deerwms Deer-wms-2 affecting the /system/role/list endpoint. Attackers can exploit this remotely to manipulate database queries. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-8163 Overview

CVE-2025-8163 is a SQL injection vulnerability in deerwms deer-wms-2 versions up to 3.3. The flaw affects the /system/role/list endpoint, where the params[dataScope] argument is concatenated into a SQL query without sanitization. Authenticated remote attackers can manipulate this parameter to execute arbitrary SQL statements against the backend database. The exploit details have been disclosed publicly, increasing the likelihood of opportunistic attacks against exposed instances. The vulnerability is tracked under [CWE-89] (SQL Injection) and [CWE-74] (Improper Neutralization of Special Elements).

Critical Impact

Authenticated attackers can inject arbitrary SQL through the params[dataScope] parameter at /system/role/list, leading to disclosure or modification of warehouse management data.

Affected Products

  • deerwms deer-wms-2 versions up to and including 3.3
  • Deployments exposing the /system/role/list administrative endpoint
  • Web-facing warehouse management instances using the role listing module

Discovery Timeline

  • 2025-07-25 - CVE-2025-8163 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8163

Vulnerability Analysis

The vulnerability resides in the role listing handler exposed at /system/role/list. The handler accepts a params[dataScope] request argument that is incorporated into a backend SQL query without parameterization or input validation. An authenticated attacker can supply crafted SQL syntax in this parameter to alter query logic, exfiltrate database contents, or modify stored records.

The deer-wms-2 application is a warehouse management system, so the database typically contains inventory, order, user, and role data. Successful exploitation allows attackers to bypass role-based access control by reading or tampering with the sys_role and related tables. Because the entry point is network-accessible and only requires low-privilege authentication, exploitation can be automated against exposed instances.

Root Cause

The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The dataScope filter, which is intended to restrict role visibility, is appended directly into the WHERE clause rather than passed through a prepared statement or ORM binding. This pattern is common in MyBatis-style applications when developers use ${} substitution instead of #{} parameter binding.

Attack Vector

Exploitation requires network access to the deer-wms-2 web interface and a valid low-privilege session. The attacker issues a request to /system/role/list with a malicious payload embedded in params[dataScope]. The payload is reflected into the SQL query, allowing UNION-based extraction, boolean-based inference, or time-based blind injection. Public disclosure of the exploit details means proof-of-concept logic is available to attackers without prior research effort. See the Gitee Issue Report and VulDB entry #317577 for additional technical context.

Detection Methods for CVE-2025-8163

Indicators of Compromise

  • HTTP requests to /system/role/list containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP, or comment sequences in the params[dataScope] parameter
  • Unusual response time variance on the role listing endpoint indicative of time-based blind SQL injection
  • Database errors or stack traces referencing the role mapper logged by the application server
  • Unexpected reads against sys_role, sys_user, or sys_user_role tables from the application database user

Detection Strategies

  • Deploy WAF or reverse proxy rules that inspect query and body parameters on /system/role/* endpoints for SQL injection patterns
  • Enable database query logging and alert on anomalous UNION or INFORMATION_SCHEMA access originating from the deer-wms-2 service account
  • Correlate authenticated session activity with parameter content to identify low-privilege users probing administrative endpoints

Monitoring Recommendations

  • Forward application and database logs to a centralized analytics platform and build detections for SQL injection signatures targeting the affected route
  • Track the volume of requests to /system/role/list per session and alert on outliers consistent with automated scanning
  • Monitor for outbound data transfers from the database server that exceed normal baselines

How to Mitigate CVE-2025-8163

Immediate Actions Required

  • Restrict access to the deer-wms-2 administrative interface to trusted networks or VPN users until a patched release is deployed
  • Audit application logs since the published date of 2025-07-25 for evidence of exploitation against /system/role/list
  • Rotate database credentials and review role and user tables for unauthorized modifications

Patch Information

At the time of NVD's last update on 2026-06-17, no vendor-supplied fixed version has been published in the referenced advisories. Track the upstream Gitee Issue Report for remediation updates and apply any subsequent release that replaces string concatenation with parameterized queries in the role mapper.

Workarounds

  • Add a server-side allow-list filter that rejects non-alphanumeric characters in the params[dataScope] parameter before it reaches the application layer
  • Place a WAF rule in blocking mode for SQL injection signatures on the /system/role/list route
  • Revoke unnecessary database privileges from the deer-wms-2 service account so that injection cannot reach tables outside the application schema
  • Disable or firewall the role listing endpoint if it is not required for operational workflows

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.