Scan free
CRITICALCVE-2025-58448CVSS 9.1

CVE-2025-58448: SQL Injection in rAthena MMORPG Server

Platform

other

Component

rathena

Fixed in

0.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-58448 describes a SQL Injection vulnerability discovered in rAthena, an open-source MMORPG server. This flaw resides within the PartyBooking component, specifically through manipulation of the WorldName parameter. Exploitation could lead to unauthorized data access and modification. Affected versions are those prior to commit 0d89ae0; upgrading to this version resolves the issue.

Impact and Attack Scenarios

Successful exploitation of this SQL Injection vulnerability allows an attacker to inject malicious SQL code into database queries executed by the rAthena server. This can lead to a wide range of consequences, including unauthorized access to sensitive player data (usernames, passwords, character information, inventory), modification of game data (item quantities, character stats), and potentially even complete database compromise. Depending on the database user's privileges, an attacker might be able to execute arbitrary commands on the server itself, leading to a complete system takeover. The blast radius extends to all players and administrators of the affected rAthena server instance.

Exploitation Context

CVE-2025-58448 has been publicly disclosed on 2025-09-09. As of this date, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation is relatively high due to the direct injection point, but the limited public awareness may reduce the immediate risk.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.04% (11% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentrathena
Vendorrathena
Affected rangeFixed in
< 0d89ae0 – < 0d89ae00.0.1

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-58448 is to immediately upgrade rAthena to version 0d89ae0 or later. If an immediate upgrade is not feasible due to compatibility concerns or downtime requirements, consider implementing temporary workarounds. Input validation on the WorldName parameter is crucial; sanitize or escape any user-supplied input before incorporating it into SQL queries. Web application firewalls (WAFs) configured to detect and block SQL Injection attempts can provide an additional layer of defense. Monitor server logs for suspicious SQL queries or database activity.

How to fix

Update rAthena to a version after commit 0d89ae0. This will resolve the SQL Injection vulnerability in the PartyBooking component. Refer to commit 0d89ae071ff5e46e8dedcf45d060acec84b3abb5 for more details on the fix.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-58448 — SQL Injection in rAthena MMORPG Server?

CVE-2025-58448 is a critical SQL Injection vulnerability affecting rAthena MMORPG servers before version 0d89ae0. The WorldName parameter in the PartyBooking component is vulnerable, allowing attackers to inject malicious SQL code.

Am I affected by CVE-2025-58448 in rAthena MMORPG Server?

You are affected if you are running rAthena MMORPG server versions prior to commit 0d89ae0. Check your server version and upgrade immediately if vulnerable.

How do I fix CVE-2025-58448 in rAthena MMORPG Server?

Upgrade your rAthena server to version 0d89ae0 or later. Implement input validation on the WorldName parameter as a temporary workaround if immediate upgrade is not possible.

Is CVE-2025-58448 being actively exploited?

As of 2025-09-09, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.

Where can I find the official rAthena advisory for CVE-2025-58448?

Refer to the rAthena project's official website and commit history for details and updates regarding CVE-2025-58448 and the associated fix.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs