Urgent: High-Severity SQL Injection Flaw Threatens codehub666 94list (CVE-2025-13395)

Overview

A critical security vulnerability, identified as CVE-2025-13395, has been discovered in codehub666 94list. This flaw, affecting versions up to commit 5831c8240e99a72b7d3508c79ef46ae4b96befe8, is a remotely exploitable SQL injection vulnerability located within the Login function of the /function.php file. The exploit is publicly available, increasing the urgency of mitigation.

Technical Details

The vulnerability resides in the Login function within /function.php. Improper sanitization of user-supplied input during the login process allows attackers to inject arbitrary SQL commands. This could allow unauthorized access to the database, potentially leading to data breaches, modification of data, or complete system compromise.

The vulnerable component is:

/function.php:Login

The affected product is codehub666 94list. It’s important to note that this product does not use versioning, making it difficult to pinpoint specific affected releases. However, all versions up to commit 5831c8240e99a72b7d3508c79ef46ae4b96befe8 are considered vulnerable.

CVSS Analysis

The vulnerability has a CVSS v3 score of 7.3, indicating a HIGH severity.

• CVSS Score: 7.3
• Attack Vector: Network (AV:N) – The vulnerability is remotely exploitable.
• Attack Complexity: Low (AC:L) – Exploitation requires little to no specialized access conditions or extenuating circumstances.
• Privileges Required: None (PR:N) – No privileges are required to exploit the vulnerability.
• User Interaction: None (UI:N) – No user interaction is required for exploitation.
• Scope: Unchanged (S:U) – An exploited vulnerability can only affect resources managed by the same security authority.
• Confidentiality Impact: High (C:H) – There is total information disclosure, resulting in all resources within the impacted component being divulged to the attacker.
• Integrity Impact: High (I:H) – There is a total loss of protection, resulting in all resources within the impacted component being changed or deleted by the attacker.
• Availability Impact: High (A:H) – There is a total loss of protection, resulting in all resources within the impacted component becoming unavailable, or inaccessible to the legitimate user.

Possible Impact

Successful exploitation of this SQL injection vulnerability could lead to severe consequences, including:

• Data Breach: Sensitive data, such as user credentials and personal information, could be stolen.
• Data Manipulation: Attackers could modify or delete data within the database, potentially disrupting operations or causing financial loss.
• Account Takeover: Attackers could gain unauthorized access to user accounts, including administrator accounts.
• System Compromise: In some cases, successful SQL injection can lead to complete system compromise.

Mitigation or Patch Steps

Due to the lack of versioning in codehub666 94list, there’s no specific patch available. The following mitigation steps are recommended:

• Input Sanitization: Implement robust input validation and sanitization techniques to prevent SQL injection. Use parameterized queries or prepared statements.
• Web Application Firewall (WAF): Deploy a WAF to detect and block malicious SQL injection attempts.
• Principle of Least Privilege: Ensure that database users have only the necessary privileges required for their roles.
• Code Review: Conduct thorough code reviews to identify and remediate potential vulnerabilities. Pay special attention to areas where user input is used in SQL queries.
• Consider Alternative Solutions: If possible, evaluate migrating to a more secure and actively maintained alternative solution.

References

• GitHub Issue: codehub666/94list #63
• GitHub Issue Comment: codehub666/94list #63 (Issue Comment)
• VulDB: CTI ID 332923
• VulDB: Vulnerability ID 332923
• VulDB: Submit Form (for reporting)