CVE-2025-1901
Published: 04 March 2025
Summary
CVE-2025-1901 is a high-severity Injection (CWE-74) vulnerability in Phpgurukul Restaurant Table Booking System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, testing, and correction of the specific SQL injection flaw in /admin/check_availability.php.
Mandates validation of the username input parameter to block SQL injection manipulation in the vulnerable endpoint.
Vulnerability scanning detects SQL injection issues like CVE-2025-1901 in web applications such as the Restaurant Table Booking System.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated SQL injection in a public-facing web application (PHP-based booking system) directly enables exploitation of public-facing applications for initial access.
NVD Description
A vulnerability was found in PHPGurukul Restaurant Table Booking System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/check_availability.php. The manipulation of the argument username leads to sql injection. It is possible to…
more
initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-1901 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Restaurant Table Booking System 1.0. The flaw affects an unknown functionality within the file /admin/check_availability.php, where manipulation of the username argument enables SQL injection.
The vulnerability is remotely exploitable by unauthenticated attackers requiring low attack complexity and no user interaction, per its CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation allows limited impacts on confidentiality, integrity, and availability through arbitrary SQL execution.
Advisories and details are available via VulDB entries (ctiid.298419, id.298419, submit.506612) and the vendor site phpgurukul.com. A proof-of-concept exploit has been publicly disclosed on GitHub.
The public availability of the exploit increases the risk of real-world attacks against exposed instances of the affected software.
Details
- CWE(s)