CVE-2025-12327 identifies an SQL injection vulnerability in the shawon100 RUET OJ online judge platform, specifically in the handling of the 'ID' parameter within the /description.php endpoint. This vulnerability arises from improper sanitization or validation of user-supplied input, allowing attackers to inject arbitrary SQL commands into backend database queries. The injection can be performed remotely without authentication or user interaction, indicating a network-exploitable flaw with low complexity but requiring low privileges. The vulnerability affects versions up to the commit hash 18fa45b0a669fa1098a0b8fc629cf6856369d9a5, but due to the product's rolling release model, exact versioning is ambiguous. The vendor was contacted but did not respond, and no official patches or fixes have been released. The CVSS 4.0 base score is 5.3 (medium), reflecting moderate impact on confidentiality, integrity, and availability with partial scope impact. Exploitation could allow attackers to extract sensitive data, modify database contents, or disrupt service availability. Although no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the likelihood of future exploitation attempts. The lack of vendor response and patch availability necessitates proactive mitigation by users of the platform. Given the nature of the platform as an online judge system, typically used in academic or competitive programming environments, the threat primarily targets educational institutions or organizations relying on this software for coding competitions or assessments.

For European organizations, particularly universities, coding bootcamps, and competitive programming platforms using shawon100 RUET OJ, this vulnerability poses significant risks. Exploitation could lead to unauthorized disclosure of sensitive user data, including participant submissions, personal information, or competition results, undermining privacy and trust. Data integrity could be compromised by unauthorized modification or deletion of database records, potentially affecting competition fairness or record accuracy. Availability impacts may arise if attackers execute commands that disrupt database operations or cause service outages, impacting ongoing assessments or contests. The medium CVSS score reflects moderate but tangible risks, especially given the unauthenticated remote exploit vector. European organizations with limited security resources or delayed patching processes are particularly vulnerable. Additionally, the absence of vendor patches and public exploit code increases the urgency for internal mitigations. The reputational damage and potential regulatory consequences under GDPR for data breaches further elevate the impact for affected European entities.

Since no official patches are available, European organizations should implement immediate compensating controls. First, apply strict input validation and sanitization on the 'ID' parameter in /description.php, ensuring only expected numeric or alphanumeric values are accepted. Employ parameterized queries or prepared statements in the database access layer to prevent SQL injection. Conduct thorough code reviews and static analysis to identify similar injection points. Monitor database logs and application logs for unusual query patterns or error messages indicative of injection attempts. Restrict database user privileges to the minimum necessary to limit potential damage from injection exploits. If feasible, deploy web application firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting this endpoint. Educate development and security teams about the vulnerability and encourage rapid incident response readiness. Finally, maintain close monitoring of vendor communications for any future patches or updates and plan for timely application once available.