Platform
other
Component
rathena
Fixed in
0.0.1
CVE-2025-58448 describes a SQL Injection vulnerability discovered in rAthena, an open-source MMORPG server. This flaw resides within the PartyBooking component, specifically through manipulation of the WorldName parameter. Exploitation could lead to unauthorized data access and modification. Affected versions are those prior to commit 0d89ae0; upgrading to this version resolves the issue.
Successful exploitation of this SQL Injection vulnerability allows an attacker to inject malicious SQL code into database queries executed by the rAthena server. This can lead to a wide range of consequences, including unauthorized access to sensitive player data (usernames, passwords, character information, inventory), modification of game data (item quantities, character stats), and potentially even complete database compromise. Depending on the database user's privileges, an attacker might be able to execute arbitrary commands on the server itself, leading to a complete system takeover. The blast radius extends to all players and administrators of the affected rAthena server instance.
CVE-2025-58448 has been publicly disclosed on 2025-09-09. As of this date, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation is relatively high due to the direct injection point, but the limited public awareness may reduce the immediate risk.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-58448 is to immediately upgrade rAthena to version 0d89ae0 or later. If an immediate upgrade is not feasible due to compatibility concerns or downtime requirements, consider implementing temporary workarounds. Input validation on the WorldName parameter is crucial; sanitize or escape any user-supplied input before incorporating it into SQL queries. Web application firewalls (WAFs) configured to detect and block SQL Injection attempts can provide an additional layer of defense. Monitor server logs for suspicious SQL queries or database activity.
Update rAthena to a version after commit 0d89ae0. This will resolve the SQL Injection vulnerability in the PartyBooking component. Refer to commit 0d89ae071ff5e46e8dedcf45d060acec84b3abb5 for more details on the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-58448 is a critical SQL Injection vulnerability affecting rAthena MMORPG servers before version 0d89ae0. The WorldName parameter in the PartyBooking component is vulnerable, allowing attackers to inject malicious SQL code.
You are affected if you are running rAthena MMORPG server versions prior to commit 0d89ae0. Check your server version and upgrade immediately if vulnerable.
Upgrade your rAthena server to version 0d89ae0 or later. Implement input validation on the WorldName parameter as a temporary workaround if immediate upgrade is not possible.
As of 2025-09-09, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the rAthena project's official website and commit history for details and updates regarding CVE-2025-58448 and the associated fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.