Plataforma
go
Componente
github.com/prest/prest
Corregido en
2.0.1
CVE-2025-58450 identifies a systemic SQL Injection vulnerability within pREST, a Go-based project. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data and compromising the underlying system. The vulnerability impacts versions of pREST before 2.0.0-rc3. A fix is available in version 2.0.0-rc3.
The SQL Injection vulnerability in pREST presents a significant risk. An attacker could leverage this flaw to bypass authentication mechanisms, extract sensitive data such as user credentials, financial information, or proprietary business data stored in the database. Successful exploitation could lead to complete database compromise, allowing the attacker to modify or delete data, or even execute arbitrary commands on the server. The potential blast radius extends to any system relying on pREST for data storage and retrieval, making it a critical concern for organizations utilizing this project. While no direct precedent is immediately obvious, SQL Injection vulnerabilities are consistently among the most exploited web application flaws.
CVE-2025-58450 was publicly disclosed on 2025-09-17. The vulnerability's severity is rated as CRITICAL (CVSS 9.5). As of this writing, there are no publicly available Proof-of-Concept (PoC) exploits, but the systemic nature of the SQL Injection vulnerability suggests a high probability of exploitation if left unaddressed. It is not currently listed on the CISA KEV catalog.
Organizations and developers utilizing pREST for data storage and retrieval are at risk. This includes those deploying pREST in production environments, particularly those with sensitive data stored in the database. Applications relying on pREST as a backend service are also vulnerable.
• linux / server:
journalctl -u prest -g "SQL injection"• generic web:
curl -I <prest_endpoint> | grep -i "SQL injection"disclosure
Estado del Exploit
EPSS
0.03% (10% percentil)
CISA SSVC
The primary mitigation for CVE-2025-58450 is to immediately upgrade to version 2.0.0-rc3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Input validation and sanitization on all user-supplied data is crucial. Web Application Firewalls (WAFs) configured with rules to detect and block SQL Injection attempts can provide an additional layer of defense. Monitor database logs for suspicious SQL queries that might indicate an ongoing attack. Consider implementing a least-privilege database user account for pREST to limit the potential damage from a successful exploit.
Actualice pREST a la versión 2.0.0-rc3 o superior. Esta versión contiene una corrección para la vulnerabilidad de inyección SQL. Puede descargar la última versión desde el repositorio oficial o utilizar un gestor de paquetes si está disponible.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-58450 is a critical SQL Injection vulnerability affecting pREST versions prior to 2.0.0-rc3, allowing attackers to execute arbitrary SQL queries and potentially compromise the database.
If you are using pREST versions earlier than 2.0.0-rc3, you are vulnerable to this SQL Injection flaw. Assess your deployments immediately.
Upgrade to version 2.0.0-rc3 or later to resolve the vulnerability. Implement input validation and WAF rules as temporary mitigations if immediate upgrade is not possible.
While no public exploits are currently available, the high severity and systemic nature of the vulnerability suggest a potential for active exploitation.
Refer to the pREST project's official repository and release notes for the advisory and detailed information regarding the fix.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo go.mod y te decimos al instante si estás afectado.