CVE-2025-25206
Published: 14 February 2025
Summary
CVE-2025-25206 is a high-severity SQL Injection (CWE-89) vulnerability in Elabftw Elabftw. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-25206 is an input validation vulnerability (CWE-89) affecting eLabFTW, an open source electronic lab notebook used in research labs. In versions prior to 5.1.15, the flaw allows authenticated users to access sensitive information stored in the database, such as login tokens and other confidential content, due to improper handling of inputs.
An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). Successful exploitation enables reading of sensitive data, potentially leading to privilege escalation, particularly when cookies are enabled, which is the default configuration.
The eLabFTW release notes and GitHub security advisory recommend upgrading to version 5.1.15, which addresses the issue through corrected input validation. No workarounds are available. Relevant resources include the release page at https://github.com/elabftw/elabftw/releases/tag/5.1.15 and the advisory at https://github.com/elabftw/elabftw/security/advisories/GHSA-qffc-rfjh-77gg.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4092
Vulnerability details
eLabFTW is an open source electronic lab notebook for research labs. Prior to version 5.1.15, an incorrect input validation could allow an authenticated user to read sensitive information, including login token or other content stored in the database. This could…
more
lead to privilege escalation if cookies are enabled (default setting). Users must upgrade to eLabFTW version 5.1.15 to receive a fix. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web app allows authenticated low-priv users to read DB data including login tokens, enabling exploitation of public-facing app (T1190), privilege escalation (T1068), and access to unsecured credentials (T1552).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the incorrect input validation vulnerability (CWE-89) by requiring validation of all system inputs to prevent unauthorized database access and sensitive data disclosure.
Mandates timely identification, reporting, and remediation of software flaws like this input validation issue, aligning with the vendor's patch to version 5.1.15.
Enforces approved access control policies to limit unauthorized reading of sensitive information such as login tokens, mitigating the privilege escalation risk from flawed input handling.