CVE-2025-53639
Published: 14 July 2025
Summary
CVE-2025-53639 is a medium-severity SQL Injection (CWE-89) vulnerability in Metersphere Metersphere. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-53639 is a SQL injection vulnerability (CWE-89) affecting MeterSphere, an open source continuous testing platform. In versions prior to 3.6.5-lts, the sortField parameter in certain API endpoints lacks proper validation or sanitization, allowing attackers to inject and execute arbitrary SQL statements via the sorting functionality. This flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability by supplying crafted input to the affected API endpoints, enabling arbitrary SQL execution. Successful exploitation could lead to modification or deletion of database contents, resulting in full compromise of the application's database integrity and availability.
The GitHub security advisory (GHSA-vcm3-5w3f-9f45) confirms that upgrading to version 3.6.5-lts resolves the issue by addressing the improper validation of the sortField parameter. Security practitioners should prioritize patching affected MeterSphere instances to mitigate this risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21386
Vulnerability details
MeterSphere is an open source continuous testing platform. Prior to version 3.6.5-lts, the sortField parameter in certain API endpoints is not properly validated or sanitized. An attacker can supply crafted input to inject and execute arbitrary SQL statements through the…
more
sorting functionality. This could result in modification or deletion of database contents, with a potential full compromise of the application’s database integrity and availability. Version 3.6.5-lts fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote SQL injection in public API endpoints of a web platform maps cleanly to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of user-supplied inputs like the sortField parameter to prevent SQL injection attacks.
Ensures timely flaw remediation by patching MeterSphere to version 3.6.5-lts, which fixes the improper sortField validation.
Vulnerability scanning identifies SQL injection flaws in API endpoints like those exploiting the sortField parameter prior to exploitation.