CVE-2025-10762 is a SQL Injection vulnerability identified in the kuaifan DooTask application, specifically affecting versions up to 1.2.49. The vulnerability exists in the file app/Http/Controllers/Api/UsersController.php, where improper sanitization of the 'keys[department]' parameter allows an attacker to inject malicious SQL code. This injection flaw can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts the confidentiality, integrity, and availability of the underlying database, potentially allowing attackers to extract sensitive data, modify or delete records, or disrupt application functionality. Although the CVSS score is medium (5.3), the exploitability is relatively straightforward due to low attack complexity and no user interaction needed. The vulnerability has been publicly disclosed, but no known exploits in the wild have been reported yet. The lack of available patches at the time of publication increases the urgency for organizations using DooTask to implement mitigations. The vulnerability’s presence in a core API controller handling user-related data suggests that exploitation could lead to significant data breaches or unauthorized data manipulation within affected systems.

For European organizations utilizing kuaifan DooTask, this vulnerability poses a moderate risk with potential for significant impact. Exploitation could lead to unauthorized access to sensitive user or departmental data, undermining data confidentiality and integrity. This is particularly critical for organizations in regulated sectors such as finance, healthcare, and public administration, where data protection is mandated by GDPR and other regulations. A successful attack could result in data breaches, regulatory penalties, reputational damage, and operational disruptions. Given the remote exploitability and lack of required user interaction, attackers could automate attacks at scale, increasing the risk of widespread compromise. The medium severity score reflects a balance between exploitability and impact; however, the absence of patches and public disclosure heightens the urgency for mitigation. Organizations relying on DooTask for task or user management should be vigilant, as attackers might leverage this vulnerability to pivot within networks or exfiltrate sensitive information.

Immediate mitigation steps include implementing input validation and sanitization on the 'keys[department]' parameter to prevent malicious SQL code execution. Organizations should audit their DooTask installations and restrict external access to the vulnerable API endpoint through network segmentation and firewall rules. Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the affected parameter can provide a temporary protective layer. Monitoring application logs for unusual query patterns or errors related to SQL injection attempts is critical for early detection. Since no official patches are currently available, organizations should engage with the vendor for updates and consider applying virtual patching techniques. Additionally, limiting the privileges of the database user account used by DooTask can reduce the potential impact of exploitation. Regular backups and incident response plans should be reviewed and updated to prepare for potential exploitation scenarios.