Platform
perl
Component
koha
Fixed in
24.11.02
CVE-2025-22954 describes a critical SQL Injection vulnerability discovered in Koha, a popular open-source Integrated Library System (ILS). This flaw allows attackers to inject malicious SQL code through the supplierid or serialid parameters within the /serials/lateissues-export.pl endpoint. Versions of Koha prior to 24.11.02 are affected, and a patch has been released to address this security risk.
Successful exploitation of CVE-2025-22954 could grant an attacker unauthorized access to the Koha database. This could lead to the exfiltration of sensitive data, including patron information (names, addresses, contact details), library inventory details, and potentially administrative credentials. Depending on the database configuration and permissions, an attacker might even be able to modify or delete data, disrupting library operations. The SQL Injection point is within the late issues export functionality, meaning an attacker could potentially manipulate the data being exported, leading to further compromise. This vulnerability shares characteristics with other SQL Injection flaws where attackers can bypass authentication and access sensitive data.
CVE-2025-22954 was publicly disclosed on March 12, 2025. No public proof-of-concept exploits are currently known, but the severity of the vulnerability (CRITICAL) suggests a high probability of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Koha installations.
Exploit Status
EPSS
11.93% (94% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-22954 is to immediately upgrade Koha to version 24.11.02 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter potentially malicious SQL injection attempts targeting the /serials/lateissues-export.pl endpoint. Input validation on the supplierid and serialid parameters is crucial; ensure that any user-supplied input is properly sanitized and validated before being used in SQL queries. Regularly review Koha's configuration and access controls to minimize the potential impact of a successful attack.
Actualice Koha a la versión 24.11.02 o posterior. Esta actualización corrige la vulnerabilidad de inyección SQL en los parámetros supplierid y serialid del script /serials/lateissues-export.pl. La actualización es esencial para proteger su sistema contra posibles ataques.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-22954 is a critical SQL Injection vulnerability affecting Koha versions 0–24.11.01, allowing attackers to potentially access and manipulate the database through the /serials/lateissues-export.pl endpoint.
If you are running Koha versions 0–24.11.01, you are affected by this vulnerability and should upgrade immediately.
The recommended fix is to upgrade Koha to version 24.11.02 or later. Consider WAF rules as an interim measure.
While no public exploits are currently known, the vulnerability's critical severity suggests a high probability of exploitation if left unpatched.
Refer to the official Koha security advisory on their website for detailed information and updates: [https://bugs.koha-community.org/bugtracker/?action=view&bugid=32014]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.