CVE-2025-10218 is a medium severity SQL Injection vulnerability identified in version 2.1 of the ruoyi-go product developed by lostvip-com. The vulnerability exists in the SelectListPage function within the modules/system/dao/SysRoleDao.go file, specifically in the Background Management Page component. The flaw arises due to improper sanitization or validation of the 'sortName' argument, which is used directly in SQL queries. This allows an attacker to manipulate the SQL query logic remotely without requiring authentication or user interaction, potentially leading to unauthorized data access or modification. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting a network attack vector with low complexity and no privileges or user interaction required, but with limited impact on confidentiality, integrity, and availability. Although an exploit has been published, there are no known widespread exploits in the wild yet. The vendor was contacted but did not respond, and no official patches or mitigations have been released at this time. The vulnerability could be leveraged by attackers to perform unauthorized queries, extract sensitive data, or alter role management information within the affected system, which could facilitate further privilege escalation or lateral movement within an organization’s environment.

For European organizations using ruoyi-go 2.1, this vulnerability poses a risk to the confidentiality and integrity of their role management data within the Background Management Page. Successful exploitation could allow attackers to retrieve sensitive information about user roles or permissions, potentially enabling privilege escalation or unauthorized access to critical systems. This could disrupt internal access controls and lead to data breaches or operational disruptions. Organizations in sectors with strict data protection regulations, such as finance, healthcare, or government, may face compliance risks and reputational damage if exploited. Although the impact on availability is limited, the compromise of role data could indirectly affect system stability or security posture. The lack of vendor response and absence of patches increases the urgency for organizations to implement compensating controls. Given the remote exploitability and no requirement for user interaction, threat actors could automate attacks against exposed instances, increasing the likelihood of exploitation if systems are internet-facing or insufficiently protected.

Since no official patch or update is currently available from the vendor, European organizations should implement immediate compensating controls. These include: 1) Restricting network access to the ruoyi-go management interface by using firewalls, VPNs, or IP whitelisting to limit exposure to trusted administrators only. 2) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection payloads targeting the 'sortName' parameter. 3) Conducting thorough input validation and sanitization on the 'sortName' parameter at the application or proxy level if possible. 4) Monitoring logs and network traffic for unusual query patterns or repeated access attempts to the vulnerable function. 5) Preparing for rapid patch deployment by tracking vendor updates or community patches and testing them in isolated environments before production rollout. 6) Reviewing and tightening role-based access controls to minimize the impact if role data is compromised. 7) Educating administrators about the vulnerability and encouraging vigilance against phishing or social engineering attempts that could leverage this flaw for lateral movement.