Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
MeterSphere is an open source continuous testing platform. Prior to version 3.6.5-lts, the sortField parameter in certain API endpoints is not properly validated or sanitized. An attacker can supply crafted input to inject and execute arbitrary SQL statements through the sorting functionality. This could result in modification or deletion of database contents, with a potential full compromise of the application’s database integrity and availability. Version 3.6.5-lts fixes the issue.
AnalysisAI
CVE-2025-53639 is a critical SQL injection vulnerability in MeterSphere's API sorting functionality where the sortField parameter lacks proper input validation and sanitization. All versions prior to 3.6.5-lts are affected, allowing unauthenticated remote attackers to execute arbitrary SQL statements and completely compromise database integrity, availability, and confidentiality. This is a network-exploitable vulnerability with no authentication required and high real-world risk.
Technical ContextAI
The vulnerability exists in MeterSphere (CPE: cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*), an open-source continuous testing platform written in Java. The root cause is classified under CWE-89 (SQL Injection), specifically improper neutralization of special elements used in an SQL command. The sortField parameter in multiple API endpoints is passed directly into SQL ORDER BY clauses or similar database query construction without parameterized queries or input validation. The application fails to use prepared statements with bound parameters, instead concatenating user-supplied input directly into dynamic SQL queries. This is a classic second-order or direct SQL injection vulnerability in the sorting/filtering layer.
RemediationAI
{'type': 'Patch', 'action': 'Upgrade MeterSphere to version 3.6.5-lts or later', 'priority': 'CRITICAL', 'details': 'The patched version 3.6.5-lts implements proper input validation and sanitization of the sortField parameter, likely through parameterized queries, allowlist validation, or input escaping.'} {'type': 'Immediate Mitigation', 'action': 'If immediate patching is not possible, implement WAF rules to block requests containing SQL keywords in sortField parameter values', 'details': 'Block requests where sortField contains: UNION, SELECT, DROP, INSERT, UPDATE, DELETE, OR, AND, --, /*. This is a temporary measure only.'} {'type': 'Detection', 'action': 'Monitor API access logs for suspicious sortField values containing SQL syntax or special characters', 'details': 'Search for patterns: semicolons, comment sequences (--, /*), SQL keywords, UNION statements in sortField parameter logs.'} {'type': 'Access Control', 'action': 'If running vulnerable versions, restrict network access to MeterSphere APIs to trusted internal networks only', 'details': 'Disable external/internet-facing access until patching is complete.'}
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-21386