CVE-2025-8311
Published: 04 September 2025
Summary
CVE-2025-8311 is a critical-severity SQL Injection (CWE-89) vulnerability in Dotcms (inferred from references). Its CVSS base score is 9.4 (Critical).
Operationally, ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
dotCMS versions 24.03.22 and later contain a Boolean-based blind SQL injection vulnerability in the /api/v1/contenttype endpoint. The sites query parameter accepts a comma-separated list of site identifiers or keys that is directly concatenated into a SQL query without sanitization, allowing malformed input to alter query logic.
An authenticated attacker with low privileges can supply crafted values to the sites parameter and leverage automated tools such as SQLMap to extract arbitrary database contents, escalate privileges, or induce denial-of-service conditions through repeated or resource-intensive payloads. Full database exfiltration has been demonstrated in verification testing.
The vendor advisory at https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-73 states that the issue is resolved in dotCMS releases 25.08.14, 25.07.10-1v2 LTS, 24.12.27v10 LTS, and 24.04.24v21 LTS. The associated EPSS score has remained flat at 0.0220 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27276
Vulnerability details
dotCMS versions 24.03.22 and after, identified a Boolean-based blind SQLi vulnerability in the /api/v1/contenttype endpoint. This endpoint uses the sites query parameter, which accepts a comma-separated list of site identifiers or keys. The vulnerability was triggered via the sites parameter,…
more
which was directly concatenated into a SQL query without proper sanitization. Exploitation allowed an authenticated attacker with low privileges to extract data from database, perform privilege escalation, or trigger denial-of-service conditions. The vulnerability was verified using tools such as SQLMap and confirmed to allow full database exfiltration and potential denial-of-service conditions via crafted payloads. The vulnerability is fixed in the following versions of dotCMS stack: 25.08.14 / 25.07.10-1v2 LTS / 24.12.27v10 LTS / 24.04.24v21 LTS
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.