cbcvebase.
CVE-2025-29085
published 2025-04-02

CVE-2025-29085: SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
29.13%
97.9th percentile
SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component.

Detection & IOCsextracted from sources · hover to see the quote

url/console/dashboard/executorCount?zkClusterKey=1%27-extractvalue(1,concat(0x0a,version()))--%20-
path/console/dashboard/executorCount
  • Detect exploitation attempts by matching the error string 'java.sql.SQLException: XPATH syntax error: \'' in HTTP response bodies to the vulnerable endpoint.
  • Monitor HTTP GET requests to /console/dashboard/executorCount with a zkClusterKey parameter containing SQL injection payloads, particularly those using extractvalue() and concat() functions with 0x0a hex encoding.
  • The vulnerability is unauthenticated (PR:N), so no session/auth token is required — flag any unauthenticated requests to the executorCount endpoint with SQL metacharacters in zkClusterKey.
  • ·Vulnerability affects Vipshop Saturn Console version 3.5.1 and all prior versions; version 3.5.2+ is not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.