Skip to main content

Java CVE-2025-53639

| EUVDEUVD-2025-21386 CRITICAL
SQL Injection (CWE-89)
2025-07-14 security-advisories@github.com
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:51 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.6.5-lts
EUVD ID Assigned
Mar 16, 2026 - 09:43 euvd
EUVD-2025-21386
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
CVE Published
Jul 14, 2025 - 20:15 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

MeterSphere is an open source continuous testing platform. Prior to version 3.6.5-lts, the sortField parameter in certain API endpoints is not properly validated or sanitized. An attacker can supply crafted input to inject and execute arbitrary SQL statements through the sorting functionality. This could result in modification or deletion of database contents, with a potential full compromise of the application’s database integrity and availability. Version 3.6.5-lts fixes the issue.

AnalysisAI

CVE-2025-53639 is a critical SQL injection vulnerability in MeterSphere's API sorting functionality where the sortField parameter lacks proper input validation and sanitization. All versions prior to 3.6.5-lts are affected, allowing unauthenticated remote attackers to execute arbitrary SQL statements and completely compromise database integrity, availability, and confidentiality. This is a network-exploitable vulnerability with no authentication required and high real-world risk.

Technical ContextAI

The vulnerability exists in MeterSphere (CPE: cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*), an open-source continuous testing platform written in Java. The root cause is classified under CWE-89 (SQL Injection), specifically improper neutralization of special elements used in an SQL command. The sortField parameter in multiple API endpoints is passed directly into SQL ORDER BY clauses or similar database query construction without parameterized queries or input validation. The application fails to use prepared statements with bound parameters, instead concatenating user-supplied input directly into dynamic SQL queries. This is a classic second-order or direct SQL injection vulnerability in the sorting/filtering layer.

RemediationAI

{'type': 'Patch', 'action': 'Upgrade MeterSphere to version 3.6.5-lts or later', 'priority': 'CRITICAL', 'details': 'The patched version 3.6.5-lts implements proper input validation and sanitization of the sortField parameter, likely through parameterized queries, allowlist validation, or input escaping.'} {'type': 'Immediate Mitigation', 'action': 'If immediate patching is not possible, implement WAF rules to block requests containing SQL keywords in sortField parameter values', 'details': 'Block requests where sortField contains: UNION, SELECT, DROP, INSERT, UPDATE, DELETE, OR, AND, --, /*. This is a temporary measure only.'} {'type': 'Detection', 'action': 'Monitor API access logs for suspicious sortField values containing SQL syntax or special characters', 'details': 'Search for patterns: semicolons, comment sequences (--, /*), SQL keywords, UNION statements in sortField parameter logs.'} {'type': 'Access Control', 'action': 'If running vulnerable versions, restrict network access to MeterSphere APIs to trusted internal networks only', 'details': 'Disable external/internet-facing access until patching is complete.'}

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2025-53639 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy