CVE-2025-10762 is a SQL Injection vulnerability identified in the kuaifan DooTask application, specifically affecting versions up to 1.2.49. The vulnerability resides in the file app/Http/Controllers/Api/UsersController.php, where improper sanitization or validation of the 'keys[department]' parameter allows an attacker to inject malicious SQL code. This flaw enables remote exploitation without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The injection can lead to unauthorized access or manipulation of the backend database, potentially compromising confidentiality, integrity, and availability of data. The CVSS 4.0 base score of 5.3 classifies this as a medium severity issue, reflecting limited impact due to the requirement of low privileges (PR:L) and limited scope of data confidentiality, integrity, and availability impacts. Although no public exploits have been observed in the wild yet, the existence of a public exploit increases the risk of exploitation. The vulnerability affects a wide range of DooTask versions from 1.2.0 through 1.2.49, indicating a long-standing issue that may be present in many deployments. The lack of available patches at the time of publication suggests that organizations must rely on mitigation strategies until an official fix is released.

For European organizations using kuaifan DooTask, this vulnerability poses a significant risk to the security of user and departmental data managed within the application. Exploitation could lead to unauthorized data disclosure, data manipulation, or disruption of service, impacting business operations and potentially violating data protection regulations such as GDPR. The ability to execute the attack remotely without user interaction or authentication lowers the barrier for attackers, increasing the likelihood of compromise. Organizations in sectors with sensitive or regulated data, such as healthcare, finance, and government, may face heightened risks including reputational damage, regulatory fines, and operational disruptions. Additionally, if attackers leverage this vulnerability to pivot within networks, it could facilitate broader compromise of internal systems.

1. Immediate mitigation should include restricting access to the vulnerable API endpoint by implementing network-level controls such as IP whitelisting or VPN-only access to reduce exposure. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'keys[department]' parameter. 3. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters passed to SQL queries, using parameterized queries or prepared statements where possible. 4. Monitor application logs and network traffic for unusual query patterns or repeated failed attempts indicative of exploitation attempts. 5. Engage with the vendor or development team to obtain or develop patches addressing the vulnerability and plan for prompt deployment once available. 6. Perform security assessments and penetration testing focused on injection flaws to identify and remediate similar issues proactively. 7. Educate developers on secure coding practices to prevent recurrence of injection vulnerabilities.