CRITICAL🇵🇱 Wersja polska

CVE-2024-57521

CVSS 10.0v3.1pub. 2025-12-23upd. 2026-01-06

SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java.

🤖 AI Analysis
How it works

The vulnerability results from insufficient validation and sanitization of input data passed to the createTable function in SqlUtil.java, allowing malicious SQL code injection. An attacker can send a specially crafted network request without the need for authentication. Successful injection enables execution of arbitrary commands at the database level, and consequently also code execution on the server (RCE).

Impact

An attacker can gain full control over the system — read, modify or delete data in the database, as well as execute arbitrary code on the server (RCE), which may lead to complete system takeover.

Mitigation & patch

A patch available in the vendor's repository should be applied (commit ddd858ca732618a472b10eaab2f8e4b45812ffc5 in the Gitee repository). It is recommended to update to the patched version as soon as possible and restrict network access to the RuoYi admin panel.

Who is affected

RuoYi v.4.7.9 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Ruoyi

    APP
    Ruoyi
    ≤ 4.7.9
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCESQLi
CWE
References

Related vulnerabilities

CVE-2025-70985CRITICAL9.1PL ✓ten sam produkt

RuoYi v4.8.2 — nieprawidłowa kontrola dostępu w funkcji aktualizacji

CVE-2025-28406CRITICAL9.8PL ✓ten sam produkt

Eskalacja uprawnień w RuoYi v.4.8.0 poprzez parametr jobLogId

CVE-2025-28405CRITICAL9.8PL ✓ten sam produkt

RuoYi 4.8.0 – privilege escalation przez metodę changeStatus

CVE-2025-28402CRITICAL9.8PL ✓ten sam produkt

Eskalacja uprawnień przez parametr jobId w RuoYi v.4.8.0

CVE-2025-28408CRITICAL9.8PL ✓ten sam produkt

RuoYi 4.8.0 — privilege escalation przez brak walidacji parametru deptId