CVE-2025-58450: SQL Injection in pREST
Platform
go
Component
github.com/prest/prest
Fixed in
2.0.1
CVE-2025-58450 identifies a systemic SQL Injection vulnerability within pREST, a Go-based project. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the underlying system. The vulnerability impacts versions of pREST before 2.0.0-rc3. A fix is available in version 2.0.0-rc3.
Detect this CVE in your project
Upload your go.mod file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The SQL Injection vulnerability in pREST presents a significant risk. An attacker could leverage this flaw to bypass authentication mechanisms, extract sensitive data such as user credentials, financial information, or proprietary business data stored in the database. Successful exploitation could lead to complete database compromise, allowing the attacker to modify or delete data, or even execute arbitrary commands on the server. The potential blast radius extends to any system relying on pREST for data storage and retrieval, making it a critical concern for organizations utilizing this project. While no direct precedent is immediately obvious, SQL Injection vulnerabilities are consistently among the most exploited web application flaws.
Exploitation Context
CVE-2025-58450 was publicly disclosed on 2025-09-17. The vulnerability's severity is rated as CRITICAL (CVSS 9.5). As of this writing, there are no publicly available Proof-of-Concept (PoC) exploits, but the systemic nature of the SQL Injection vulnerability suggests a high probability of exploitation if left unaddressed. It is not currently listed on the CISA KEV catalog.
Threat Intelligence
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-58450 is to immediately upgrade to version 2.0.0-rc3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Input validation and sanitization on all user-supplied data is crucial. Web Application Firewalls (WAFs) configured with rules to detect and block SQL Injection attempts can provide an additional layer of defense. Monitor database logs for suspicious SQL queries that might indicate an ongoing attack. Consider implementing a least-privilege database user account for pREST to limit the potential damage from a successful exploit.
How to fix
Actualice pREST a la versión 2.0.0-rc3 o superior. Esta versión contiene una corrección para la vulnerabilidad de inyección SQL. Puede descargar la última versión desde el repositorio oficial o utilizar un gestor de paquetes si está disponible.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-58450 — SQL Injection in pREST?
CVE-2025-58450 is a critical SQL Injection vulnerability affecting pREST versions prior to 2.0.0-rc3, allowing attackers to execute arbitrary SQL queries and potentially compromise the database.
Am I affected by CVE-2025-58450 in pREST?
If you are using pREST versions earlier than 2.0.0-rc3, you are vulnerable to this SQL Injection flaw. Assess your deployments immediately.
How do I fix CVE-2025-58450 in pREST?
Upgrade to version 2.0.0-rc3 or later to resolve the vulnerability. Implement input validation and WAF rules as temporary mitigations if immediate upgrade is not possible.
Is CVE-2025-58450 being actively exploited?
While no public exploits are currently available, the high severity and systemic nature of the vulnerability suggest a potential for active exploitation.
Where can I find the official pREST advisory for CVE-2025-58450?
Refer to the pREST project's official repository and release notes for the advisory and detailed information regarding the fix.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.