rAthena has SQL Injection in PartyBooking component via `WorldName` parameter.

Successful exploitation of this SQL Injection vulnerability allows an attacker to inject malicious SQL code into database queries executed by the rAthena server. This can lead to a wide range of consequences, including unauthorized access to sensitive player data (usernames, passwords, character information, inventory), modification of game data (item quantities, character stats), and potentially even complete database compromise. Depending on the database user's privileges, an attacker might be able to execute arbitrary commands on the server itself, leading to a complete system takeover. The blast radius extends to all players and administrators of the affected rAthena server instance.

Game server administrators and players of rAthena MMORPG servers running vulnerable versions are at risk. This includes both public and private server instances. Shared hosting environments where multiple rAthena servers are hosted on the same infrastructure are particularly vulnerable, as a compromise of one server could potentially lead to the compromise of others.

1. 2025-09-09Disclosure

   disclosure

1. 予約済み2025-09-01
2. 公開日2025-09-09
3. 更新日2025-09-10
4. EPSS 更新日2026-03-23

The primary mitigation for CVE-2025-58448 is to immediately upgrade rAthena to version 0d89ae0 or later. If an immediate upgrade is not feasible due to compatibility concerns or downtime requirements, consider implementing temporary workarounds. Input validation on the WorldName parameter is crucial; sanitize or escape any user-supplied input before incorporating it into SQL queries. Web application firewalls (WAFs) configured to detect and block SQL Injection attempts can provide an additional layer of defense. Monitor server logs for suspicious SQL queries or database activity.