CVE-2025-0410
Published: 13 January 2025
Summary
CVE-2025-0410 is a medium-severity Injection (CWE-74) vulnerability in Liujianview Gymxmjpa. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-0410 is a critical vulnerability classified in liujianview gymxmjpa version 1.0. It affects the MenberDaoInpl function in the file src/main/java/com/liujian/gymxmjpa/controller/MenberConntroller.java, where manipulation of the hyname argument enables SQL injection. The issue falls under CWE-74 and CWE-89.
The vulnerability allows remote exploitation with low attack complexity and requires low privileges (PR:L), with no user interaction needed. Per the CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), attackers can achieve low impacts on confidentiality, integrity, and availability through SQL injection.
Advisories reference GitHub issues at https://github.com/liujianview/gymxmjpa/issues/10 and https://github.com/liujianview/gymxmjpa/issues/10#issue-2765824571, along with VulDB entries including https://vuldb.com/?ctiid.291286, https://vuldb.com/?id.291286, and https://vuldb.com/?submit.473426. The exploit has been publicly disclosed and may be used.
The vulnerability was published on 2025-01-13, with the exploit already available to the public.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1657
Vulnerability details
A vulnerability classified as critical was found in liujianview gymxmjpa 1.0. This vulnerability affects the function MenberDaoInpl of the file src/main/java/com/liujian/gymxmjpa/controller/MenberConntroller.java. The manipulation of the argument hyname leads to sql injection. The attack can be initiated remotely. The exploit has…
more
been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web application controller enables remote exploitation of public-facing application (T1190), abuse of server software component via arbitrary SQL execution (T1505), and collection of data from databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation and sanitization of inputs like the hyname argument in the MenberController before database queries.
Requires timely identification, reporting, and correction of the specific SQL injection flaw in gymxmjpa version 1.0.
Enables vulnerability scanning to detect and address SQL injection issues like CVE-2025-0410 in the affected Java controller.