CVE-2025-9413 Overview
A SQL injection vulnerability has been identified in lostvip-com ruoyi-go versions up to 2.1. The flaw affects the SelectListByPage function within the file modules/system/system_router.go. By manipulating the orderByColumn or isAsc parameters, an attacker can inject arbitrary SQL commands. This vulnerability is remotely exploitable over the network and requires low privileges to execute. An exploit has been publicly disclosed, and the vendor was contacted regarding this issue but did not respond.
Critical Impact
Remote attackers with low privileges can exploit SQL injection to manipulate database queries, potentially leading to unauthorized data access, data modification, or data exfiltration from the underlying database.
Affected Products
- lostvip ruoyi-go versions up to 2.1
- Applications utilizing the SelectListByPage function in modules/system/system_router.go
- Systems exposing the vulnerable endpoint to network access
Discovery Timeline
- August 25, 2025 - CVE-2025-9413 published to NVD
- October 9, 2025 - Last updated in NVD database
Technical Details for CVE-2025-9413
Vulnerability Analysis
This vulnerability is classified as SQL Injection (CWE-89) and more broadly as an Injection flaw (CWE-74). The root of the issue lies in the improper handling of user-supplied input within the SelectListByPage function. When parameters such as orderByColumn and isAsc are passed to the application, they are incorporated into SQL queries without adequate sanitization or parameterization. This allows an attacker to craft malicious input that alters the intended SQL logic.
The vulnerability is exploitable remotely over the network with low attack complexity. An authenticated attacker with minimal privileges can leverage this flaw to inject SQL commands, potentially gaining unauthorized access to sensitive data, modifying database records, or disrupting application functionality.
Root Cause
The vulnerability stems from insufficient input validation and the absence of prepared statements or parameterized queries in the SelectListByPage function. The orderByColumn and isAsc parameters are directly concatenated into SQL query strings, allowing user-controlled data to be interpreted as SQL code rather than data values.
Attack Vector
The attack is initiated remotely over the network. An authenticated attacker sends crafted HTTP requests containing malicious SQL fragments in the orderByColumn or isAsc parameters. When these parameters are processed by the SelectListByPage function in modules/system/system_router.go, the injected SQL is executed against the database.
The vulnerability allows an attacker to manipulate ORDER BY clauses to extract data through error-based or time-based blind SQL injection techniques. More details can be found in the GitHub CVE Issue #8 and GitHub CVE Issue #9.
Detection Methods for CVE-2025-9413
Indicators of Compromise
- Unusual SQL error messages in application logs referencing orderByColumn or isAsc parameters
- Anomalous database query patterns involving ORDER BY clause manipulation
- Web application firewall (WAF) alerts indicating SQL injection attempts targeting sorting parameters
- Database audit logs showing unexpected queries or data access patterns
Detection Strategies
- Implement SQL injection detection rules in web application firewalls targeting ORDER BY parameter manipulation
- Monitor application logs for SQL syntax errors or database exceptions triggered by malformed input
- Deploy database activity monitoring to detect unusual query patterns or unauthorized data access
- Conduct regular code reviews and static analysis on Go applications using database queries
Monitoring Recommendations
- Enable detailed logging for the modules/system/system_router.go endpoints
- Configure alerting for repeated failed database queries originating from the same source
- Monitor network traffic for requests containing SQL keywords in query parameters
- Establish baseline database query behavior and alert on deviations
How to Mitigate CVE-2025-9413
Immediate Actions Required
- Restrict network access to affected ruoyi-go instances until a patch is available
- Implement web application firewall rules to block SQL injection attempts in orderByColumn and isAsc parameters
- Review application logs for evidence of exploitation attempts
- Consider disabling or restricting the SelectListByPage functionality if not critical to operations
Patch Information
At the time of publication, the vendor (lostvip) has not responded to disclosure attempts and no official patch is available. Organizations should monitor the VulDB entry #321254 and the official ruoyi-go repository for updates. Consider implementing workarounds or compensating controls until an official fix is released.
Workarounds
- Implement input validation to whitelist acceptable values for orderByColumn and isAsc parameters
- Use prepared statements or parameterized queries to prevent SQL injection
- Deploy a web application firewall with SQL injection protection rules
- Restrict access to affected endpoints using network segmentation or authentication controls
- Consider migrating to an alternative solution if no patch becomes available
# Example WAF rule to block SQL injection in orderByColumn parameter
# ModSecurity rule example
SecRule ARGS:orderByColumn "@rx (?i)(select|union|insert|update|delete|drop|--|;|'|\")" \
"id:100001,phase:2,deny,status:403,msg:'SQL Injection attempt in orderByColumn'"
SecRule ARGS:isAsc "@rx (?i)(select|union|insert|update|delete|drop|--|;|'|\")" \
"id:100002,phase:2,deny,status:403,msg:'SQL Injection attempt in isAsc'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
