CVE-2025-9411 Overview
CVE-2025-9411 is a SQL injection vulnerability affecting lostvip-com ruoyi-go versions up to 2.1. The flaw resides in the SelectPageList function within modules/system/service/LoginInforService.go. Attackers can manipulate the isAsc argument to inject arbitrary SQL into backend queries. The vulnerability is remotely exploitable and requires low-level authentication. The exploit has been publicly disclosed, increasing the likelihood of opportunistic abuse. The vendor was contacted prior to disclosure but did not respond, and no official patch has been published.
Critical Impact
Authenticated remote attackers can inject SQL through the isAsc parameter to read, modify, or delete database records in affected ruoyi-go deployments.
Affected Products
- lostvip-com ruoyi-go versions through 2.1
- Deployments using the LoginInforService module
- Applications exposing the affected sort-order parameter isAsc
Discovery Timeline
- 2025-08-25 - CVE-2025-9411 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-9411
Vulnerability Analysis
The vulnerability is a classic SQL injection issue [CWE-89] arising from improper neutralization of user-controlled input in a database query [CWE-74]. The SelectPageList function in LoginInforService.go accepts an isAsc argument that controls sort ordering in paginated login information listings. Because this value is concatenated into the resulting SQL statement rather than bound as a parameter, an attacker can break out of the intended ORDER BY clause and append arbitrary SQL.
Successful exploitation can lead to disclosure of sensitive authentication records, modification of stored data, or further pivoting into the underlying database. The attack is network-reachable and only requires a low-privilege authenticated session.
Root Cause
The root cause is unsanitized concatenation of the isAsc parameter into a dynamically built SQL query. Sort-order parameters cannot be parameterized through standard placeholders, so the application must validate them against a strict allow list (for example, ASC or DESC). The affected code path performs no such validation, allowing arbitrary SQL fragments to influence query execution.
Attack Vector
An authenticated remote attacker sends a crafted request to the endpoint backed by SelectPageList, supplying a malicious isAsc value. Because the parameter is interpolated directly into the SQL string, the attacker can append additional clauses, UNION-based payloads, or time-based blind injection probes. No user interaction is required beyond authenticating with valid low-privilege credentials.
Technical details and references are available through the GitHub issue tracker and the VulDB entry #321252.
Detection Methods for CVE-2025-9411
Indicators of Compromise
- Web server or application logs containing unusual values in the isAsc query parameter, such as SQL keywords (UNION, SELECT, SLEEP, --)
- Repeated requests to endpoints that invoke SelectPageList in LoginInforService.go with varying isAsc payloads
- Database error messages referencing syntax errors near ORDER BY clauses
- Anomalous outbound database query patterns or large result sets returned from login information endpoints
Detection Strategies
- Inspect HTTP access logs for non-alphabetic characters or SQL metacharacters in the isAsc parameter
- Deploy web application firewall (WAF) rules that flag SQL keywords appearing in sort-order parameters
- Enable database query logging and alert on syntactically unusual ORDER BY clauses originating from the ruoyi-go application
- Correlate authentication events with subsequent abnormal queries against the login information tables
Monitoring Recommendations
- Monitor for repeated 500-level responses from endpoints associated with login information listings, which can indicate injection probing
- Track time-based anomalies in response latency, a common signature of blind SQL injection attempts
- Centralize and review application and database logs for queries deviating from expected templates
How to Mitigate CVE-2025-9411
Immediate Actions Required
- Restrict network exposure of ruoyi-go administrative endpoints to trusted internal networks or VPN users
- Audit accounts with access to the login information module and remove unused credentials
- Deploy WAF signatures that reject SQL metacharacters in the isAsc parameter until a code-level fix is available
- Review database accounts used by ruoyi-go and apply least-privilege permissions to limit injection impact
Patch Information
No official vendor patch is available at the time of publication. The vendor did not respond to the disclosure attempt recorded in the VulDB submission. Organizations using ruoyi-go should track the upstream repository and the public GitHub issue for remediation updates, or apply an in-house fix that validates isAsc against an allow list of ASC and DESC only.
Workarounds
- Implement an input validation wrapper that rejects any isAsc value other than ASC or DESC before it reaches SelectPageList
- Refactor the affected query to map isAsc to a constant string within application code rather than concatenating user input
- Apply database-level query allow-listing or stored procedures for paginated login information queries
- Temporarily disable or remove the affected endpoint if it is not required for production operations
# Example WAF rule (ModSecurity) blocking SQL metacharacters in isAsc
SecRule ARGS:isAsc "!@rx ^(?i)(asc|desc)$" \
"id:1009411,phase:2,deny,status:400,\
msg:'CVE-2025-9411: invalid isAsc value',\
tag:'sql-injection',tag:'ruoyi-go'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

