TDuckCloud tduck-platform CVE-2025-7888
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in TDuckCloud tduck-platform 5.1 and classified as critical. This issue affects the function UserFormDataMapper of the file src/main/java/com/tduck/cloud/form/mapper/UserFormDataMapper.java. The manipulation of the argument formKey leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in TDuckCloud tduck-platform 5.1 allows authenticated remote attackers to manipulate the formKey parameter in the UserFormDataMapper function, enabling unauthorized database queries with limited confidentiality and integrity impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.
Technical ContextAI
The vulnerability exists in the UserFormDataMapper class (src/main/java/com/tduck/cloud/form/mapper/UserFormDataMapper.java) within the Java-based tduck-platform application. The root cause is improper input validation on the formKey parameter, classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The SQL injection occurs in the data mapping layer where user-supplied formKey values are incorporated into SQL queries without sufficient parameterization or sanitization, allowing attackers to inject arbitrary SQL commands.
RemediationAI
No vendor-released patch has been identified at time of analysis despite early vendor notification. Organizations running tduck-platform 5.1 should immediately apply parameterized SQL queries (prepared statements) in the UserFormDataMapper class to neutralize SQL injection vectors on the formKey parameter, or upgrade to a patched version if the vendor releases one. As a temporary compensating control, restrict database account privileges used by the tduck-platform application to read-only access where possible, limiting the scope of SQL injection exploitation to data exfiltration only. Implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in formKey parameter values (e.g., SQL keywords like UNION, EXEC, DECLARE). Additionally, restrict access to the affected form mapping endpoints to trusted internal networks only, reducing the attack surface from remote unauthenticated users. Monitor database logs for suspicious query patterns originating from tduck-platform application connections.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today