CVE-2025-10218 is a medium severity SQL Injection vulnerability identified in version 2.1 of the ruoyi-go software developed by lostvip-com. The vulnerability resides in the SelectListPage function within the modules/system/dao/SysRoleDao.go file, specifically in the Background Management Page component. The flaw arises due to improper sanitization or validation of the 'sortName' argument, which is directly used in SQL queries. This allows an attacker to manipulate the 'sortName' parameter to inject arbitrary SQL commands. The vulnerability is remotely exploitable without requiring user interaction or authentication, increasing its risk profile. Although the CVSS 4.0 base score is 5.3 (medium), the exploit has been published publicly, which raises the likelihood of exploitation. The vendor was contacted but did not respond or provide a patch, leaving affected systems exposed. The vulnerability impacts the confidentiality, integrity, and availability of the backend database, potentially allowing attackers to extract sensitive data, modify or delete records, or disrupt service availability. The lack of authentication requirement and remote exploitability make this a notable risk for organizations using ruoyi-go 2.1, especially those relying on the Background Management Page for role management and access control. The absence of vendor response and patches further exacerbates the threat landscape around this vulnerability.

For European organizations using ruoyi-go 2.1, this SQL Injection vulnerability poses a significant risk to the security of their backend systems. Exploitation could lead to unauthorized data disclosure, including sensitive user or organizational information, which may violate GDPR and other data protection regulations. Integrity of role and permission data could be compromised, potentially allowing privilege escalation or unauthorized access to critical systems. Availability could also be affected if attackers execute destructive SQL commands or cause database corruption. Given the remote and unauthenticated nature of the exploit, attackers can launch attacks from anywhere, increasing the attack surface. Organizations in sectors with high regulatory scrutiny such as finance, healthcare, and government are particularly at risk due to the potential for data breaches and operational disruptions. The public availability of exploits and lack of vendor patches mean that attackers can readily target vulnerable systems, increasing the urgency for European entities to assess and mitigate this vulnerability promptly.

1. Immediate mitigation should include implementing web application firewalls (WAFs) with custom rules to detect and block malicious SQL injection payloads targeting the 'sortName' parameter. 2. Conduct a thorough code review of the SelectListPage function and related database access code to implement proper input validation and parameterized queries or prepared statements to eliminate SQL injection vectors. 3. If possible, upgrade to a later, patched version of ruoyi-go once available; if no patch exists, consider disabling or restricting access to the affected Background Management Page component until a fix is released. 4. Employ network segmentation and strict access controls to limit exposure of the management interfaces to trusted internal networks only. 5. Monitor logs and network traffic for unusual query patterns or repeated attempts to exploit the 'sortName' parameter. 6. Develop an incident response plan specifically addressing SQL injection attacks, including data backup and recovery procedures to mitigate potential data loss or corruption. 7. Engage with the vendor or community to encourage patch development and share threat intelligence related to this vulnerability.