Plataforma
other
Componente
rathena
Corrigido em
0.0.1
CVE-2025-58448 describes a SQL Injection vulnerability discovered in rAthena, an open-source MMORPG server. This flaw resides within the PartyBooking component, specifically through manipulation of the WorldName parameter. Exploitation could lead to unauthorized data access and modification. Affected versions are those prior to commit 0d89ae0; upgrading to this version resolves the issue.
Successful exploitation of this SQL Injection vulnerability allows an attacker to inject malicious SQL code into database queries executed by the rAthena server. This can lead to a wide range of consequences, including unauthorized access to sensitive player data (usernames, passwords, character information, inventory), modification of game data (item quantities, character stats), and potentially even complete database compromise. Depending on the database user's privileges, an attacker might be able to execute arbitrary commands on the server itself, leading to a complete system takeover. The blast radius extends to all players and administrators of the affected rAthena server instance.
CVE-2025-58448 has been publicly disclosed on 2025-09-09. As of this date, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation is relatively high due to the direct injection point, but the limited public awareness may reduce the immediate risk.
Game server administrators and players of rAthena MMORPG servers running vulnerable versions are at risk. This includes both public and private server instances. Shared hosting environments where multiple rAthena servers are hosted on the same infrastructure are particularly vulnerable, as a compromise of one server could potentially lead to the compromise of others.
disclosure
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-58448 is to immediately upgrade rAthena to version 0d89ae0 or later. If an immediate upgrade is not feasible due to compatibility concerns or downtime requirements, consider implementing temporary workarounds. Input validation on the WorldName parameter is crucial; sanitize or escape any user-supplied input before incorporating it into SQL queries. Web application firewalls (WAFs) configured to detect and block SQL Injection attempts can provide an additional layer of defense. Monitor server logs for suspicious SQL queries or database activity.
Actualice rAthena a la versión posterior al commit 0d89ae0. Esto solucionará la vulnerabilidad de inyección SQL en el componente PartyBooking. Consulte el commit 0d89ae071ff5e46e8dedcf45d060acec84b3abb5 para obtener más detalles sobre la corrección.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-58448 is a critical SQL Injection vulnerability affecting rAthena MMORPG servers before version 0d89ae0. The WorldName parameter in the PartyBooking component is vulnerable, allowing attackers to inject malicious SQL code.
You are affected if you are running rAthena MMORPG server versions prior to commit 0d89ae0. Check your server version and upgrade immediately if vulnerable.
Upgrade your rAthena server to version 0d89ae0 or later. Implement input validation on the WorldName parameter as a temporary workaround if immediate upgrade is not possible.
As of 2025-09-09, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the rAthena project's official website and commit history for details and updates regarding CVE-2025-58448 and the associated fix.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.