CVE-2025-25351
Published: 12 February 2025
Summary
CVE-2025-25351 is a critical-severity SQL Injection (CWE-89) vulnerability in Phpgurukul Daily Expense Tracker System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by validating and sanitizing user inputs like the dateexpense parameter before database queries.
Mandates timely identification, reporting, and remediation of flaws such as the SQL injection vulnerability in /dets/add-expense.php.
Facilitates early detection of SQL injection vulnerabilities like CVE-2025-25351 through regular vulnerability scanning.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (/dets/add-expense.php) enables exploitation of public-facing applications (T1190) and facilitates collection of data from databases via arbitrary SQL queries (T1213.006).
NVD Description
PHPGurukul Daily Expense Tracker System v1.1 is vulnerable to SQL Injection in /dets/add-expense.php via the dateexpense parameter.
Deeper analysisAI
CVE-2025-25351 is a SQL injection vulnerability (CWE-89) in PHPGurukul Daily Expense Tracker System version 1.1. The flaw resides in the /dets/add-expense.php component, where the dateexpense parameter fails to properly sanitize user input, allowing malicious SQL payloads to be injected into backend database queries. Published on 2025-02-12, it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.
Remote, unauthenticated attackers can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). Successful exploitation enables high-impact violations of confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing attackers to extract sensitive data, modify records, or disrupt system operations.
A detailed writeup, including proof-of-concept details, is available at https://github.com/vkcyberexpert/CVE-Writeup/blob/main/PHPGurukul/Daily%20Expense%20Tracker%20System/SQL%20Injection%20dateexpense%20daily%20expense.pdf. No official patches or vendor advisories are referenced in available information.
Details
- CWE(s)