CVE-2025-0409
Published: 13 January 2025
Summary
CVE-2025-0409 is a medium-severity Injection (CWE-74) vulnerability in Liujianview Gymxmjpa. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-0409 is a critical SQL injection vulnerability in liujianview gymxmjpa version 1.0. The issue resides in the MembertypeDaoImpl function within the file src/main/java/com/liujian/gymxmjpa/controller/MembertypeController.java, where manipulation of the typeName argument enables SQL code injection. Published on 2025-01-13, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs 74 and 89.
The vulnerability allows remote exploitation by low-privileged users (PR:L) with low attack complexity and no user interaction. Attackers can manipulate the typeName parameter to inject malicious SQL, potentially achieving limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or service disruption within the affected application's scope.
References for further details include GitHub issues at https://github.com/liujianview/gymxmjpa/issues/9 and https://github.com/liujianview/gymxmjpa/issues/9#issue-2765816110, as well as VulDB entries at https://vuldb.com/?ctiid.291285, https://vuldb.com/?id.291285, and https://vuldb.com/?submit.473425. The exploit has been publicly disclosed and may be used by attackers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1656
Vulnerability details
A vulnerability classified as critical has been found in liujianview gymxmjpa 1.0. This affects the function MembertypeDaoImpl of the file src/main/java/com/liujian/gymxmjpa/controller/MembertypeController.java. The manipulation of the argument typeName leads to sql injection. It is possible to initiate the attack remotely. The…
more
exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote SQL injection in web application controller (MembertypeController.java) enables exploitation of public-facing application (T1190), abuse of server software component (T1505 per advisory), and arbitrary database queries for data collection (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the typeName input parameter to block SQL injection manipulation in MembertypeController.java.
Mandates identification, reporting, and correction of the specific SQL injection flaw in gymxmjpa 1.0 via patching.
Vulnerability scanning detects SQL injection issues like CVE-2025-0409 in the application for remediation.