CVE-2025-9410 Overview
A SQL injection vulnerability has been identified in lostvip-com ruoyi-go versions up to 2.1. The vulnerability affects the SelectListByPage function within the file modules/system/dao/GenTableDao.go. By manipulating the isAsc and orderByColumn arguments, an attacker can inject malicious SQL commands into database queries. This vulnerability is remotely exploitable, and exploit details have been made publicly available.
Critical Impact
Attackers can exploit this SQL injection vulnerability to manipulate database queries, potentially leading to unauthorized data access, data modification, or data deletion. The remote attack vector makes this vulnerability particularly concerning for internet-facing deployments.
Affected Products
- lostvip ruoyi-go versions up to 2.1
- Applications built on the ruoyi-go framework with exposed GenTableDao functionality
Discovery Timeline
- August 25, 2025 - CVE-2025-9410 published to NVD
- October 6, 2025 - Last updated in NVD database
Technical Details for CVE-2025-9410
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) exists due to improper neutralization of special elements used in SQL commands within the SelectListByPage function. The vulnerability is classified under both CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (SQL Injection), indicating that user-controlled input is directly incorporated into SQL queries without proper sanitization or parameterization.
The affected function accepts the isAsc and orderByColumn parameters, which are used to construct dynamic ORDER BY clauses in SQL queries. When these parameters are not properly validated or escaped, an attacker can inject arbitrary SQL syntax that gets executed by the database engine.
Root Cause
The root cause of this vulnerability is insufficient input validation and the use of string concatenation or interpolation to build SQL queries in the SelectListByPage function located in modules/system/dao/GenTableDao.go. The isAsc parameter (which typically accepts values like "ASC" or "DESC") and the orderByColumn parameter (which specifies the column name for sorting) are directly embedded into the SQL query without proper sanitization, parameterized queries, or allowlist validation.
Attack Vector
The attack is conducted over the network, requiring the attacker to have low-level privileges to access the vulnerable endpoint. The attacker crafts malicious values for the isAsc or orderByColumn parameters that break out of the intended SQL context and inject additional SQL commands.
For example, an attacker could manipulate the orderByColumn parameter to include SQL syntax that extracts sensitive data, modifies records, or executes administrative database commands. The vulnerability allows for remote exploitation without user interaction, making it suitable for automated attacks.
Technical details and proof-of-concept information are available in the GitHub CVE Issue 3 and GitHub CVE Issue 4 repositories. Additional vulnerability documentation is available at VulDB #321251.
Detection Methods for CVE-2025-9410
Indicators of Compromise
- Unusual or malformed values in HTTP request parameters targeting orderByColumn or isAsc fields
- Database logs showing syntax errors or unexpected query patterns involving ORDER BY clauses
- Failed authentication attempts followed by successful data exfiltration patterns
- Increased database query execution times indicating time-based blind SQL injection attempts
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect common SQL injection patterns in the isAsc and orderByColumn parameters
- Monitor application logs for requests containing SQL keywords such as UNION, SELECT, DROP, --, or ' in sorting-related parameters
- Deploy runtime application self-protection (RASP) solutions to detect and block SQL injection attempts in real-time
- Use database activity monitoring to identify anomalous query patterns originating from the ruoyi-go application
Monitoring Recommendations
- Enable detailed logging for all requests to the GenTableDao endpoints and review for suspicious parameter values
- Configure alerting for database errors related to SQL syntax, particularly those involving ORDER BY statements
- Monitor for data exfiltration patterns such as unusually large query result sets or access to sensitive tables
- Implement network traffic analysis to detect potential command-and-control communications following successful exploitation
How to Mitigate CVE-2025-9410
Immediate Actions Required
- Audit all instances of ruoyi-go deployments to identify vulnerable versions (up to 2.1)
- Implement input validation allowlists for the isAsc parameter to accept only "ASC" or "DESC" values
- Restrict the orderByColumn parameter to a predefined list of valid column names
- Deploy WAF rules to block requests containing SQL injection payloads in sorting parameters
- Consider temporarily disabling the affected functionality if immediate patching is not possible
Patch Information
At the time of publication, the vendor (lostvip) has not responded to disclosure attempts regarding this vulnerability. No official patch has been released. Organizations using ruoyi-go should implement the workarounds described below and monitor the official lostvip ruoyi-go repository for security updates.
Workarounds
- Implement server-side validation to ensure isAsc only accepts "ASC" or "DESC" values using strict allowlist matching
- Create an allowlist of valid column names for the orderByColumn parameter and reject any values not on the list
- Modify the SelectListByPage function to use parameterized queries or prepared statements instead of string concatenation
- Deploy a reverse proxy or WAF with SQL injection detection rules in front of the ruoyi-go application
- If the code generator functionality is not required, consider disabling or removing the GenTableDao module entirely
# Example WAF rule for ModSecurity to block SQL injection in sorting parameters
# Add to your ModSecurity configuration
SecRule ARGS:orderByColumn "@rx (?i)(union|select|insert|update|delete|drop|--|;|'|\")" \
"id:100001,phase:2,deny,status:403,log,msg:'SQL Injection attempt in orderByColumn'"
SecRule ARGS:isAsc "!@rx ^(ASC|DESC|asc|desc)$" \
"id:100002,phase:2,deny,status:403,log,msg:'Invalid isAsc parameter value'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
