CVE-2025-22954
Published: 12 March 2025
Summary
CVE-2025-22954 is a critical-severity SQL Injection (CWE-89) vulnerability in Koha Community (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Koha before version 24.11.02 contains a SQL injection vulnerability in the GetLateOrMissingIssues function within C4/Serials.pm. The flaw is exposed through the /serials/lateissues-export.pl endpoint and can be triggered via the supplierid or serialid parameters, corresponding to CWE-89 with a CVSS 3.1 score of 10.0 reflecting network-accessible, low-complexity attack conditions that affect confidentiality, integrity, and availability with changed scope.
An unauthenticated remote attacker can supply crafted input to these parameters and execute arbitrary SQL commands against the Koha database. Successful exploitation grants full read/write access and the ability to alter or delete records, potentially leading to complete system compromise without requiring user interaction or credentials.
The referenced Koha bug report and 24.11.02 release announcement indicate that the issue is resolved by upgrading to Koha 24.11.02 or later. The associated EPSS score of 0.2866 shows no material increase from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7619
Vulnerability details
GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web endpoint (/serials/lateissues-export.pl) directly enables T1190 exploitation of public-facing applications for initial access and arbitrary database queries.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating untrusted inputs such as supplierid and serialid parameters prior to use in database queries.
Addresses the root cause through timely flaw remediation, such as patching Koha to version 24.11.02 or later.
Restricts supplierid and serialid parameters to authorized content types, formats, and lengths to block malicious SQL payloads.