CVE-2025-8264
Published: 29 July 2025
Summary
CVE-2025-8264 is a high-severity SQL Injection (CWE-89) vulnerability in Snyk (inferred from references). Its CVSS base score is 7.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-8264 is a SQL injection vulnerability (CWE-89) affecting versions of the z-push/z-push-dev package prior to 2.7.6. The issue stems from unparameterized queries in the IMAP backend, specifically when the IMAP_FROM_SQL_QUERY option is configured in Z-Push installations. This flaw enables attackers to inject malicious SQL commands through the username field during basic authentication, potentially compromising linked third-party databases.
An unauthenticated remote attacker can exploit this vulnerability over the network with high attack complexity, requiring no user interaction and no privileges, as indicated by its CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). Successful exploitation grants access to sensitive data in the database and allows modification or deletion of records, with the impact amplified due to the changed scope.
Mitigation involves updating to version 2.7.6 or later, where the issue is addressed via patches in the referenced GitHub pull request. As an immediate workaround, administrators should modify the configuration in backend/imap/config.php to disable SQL queries for IMAP_FROM by setting define('IMAP_DEFAULTFROM', ''); or define('IMAP_DEFAULTFROM', 'ldap'); to use the default or LDAP backend instead.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22977
Vulnerability details
Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious commands by manipulating the username field in basic authentication. This allows the attacker to access…
more
and potentially modify or delete sensitive data from a linked third-party database. **Note:** This vulnerability affects Z-Push installations that utilize the IMAP backend and have the IMAP_FROM_SQL_QUERY option configured. Mitigation Change configuration to use the default or LDAP in backend/imap/config.php php define('IMAP_DEFAULTFROM', ''); or php define('IMAP_DEFAULTFROM', 'ldap');
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing Z-Push IMAP backend directly enables remote unauthenticated exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of untrusted inputs like the username field in basic authentication to block SQL injection via unparameterized IMAP backend queries.
Requires timely patching of the z-push package to version 2.7.6 or later, remediating the SQL injection flaw in the IMAP backend.
Mandates secure configuration settings in backend/imap/config.php to disable vulnerable IMAP_FROM_SQL_QUERY and use default or LDAP instead.