CVE-2025-12329 identifies a SQL injection vulnerability in the shawon100 RUET OJ system, a platform likely used for online judging in programming contests or educational purposes. The vulnerability resides in an unspecified function within the /details.php file, where the 'ID' parameter is improperly sanitized, allowing attackers to inject malicious SQL statements. This injection can be performed remotely without authentication or user interaction, making exploitation straightforward. The CVSS 4.0 score of 5.3 reflects a medium severity, considering the attack vector is network-based with low attack complexity and no privileges or user interaction required, but with limited impact on confidentiality, integrity, and availability. The rolling release development model of RUET OJ complicates patching because version numbers are replaced by commit hashes, and no official patch or vendor communication has been provided. Publicly available exploit code increases the risk of exploitation, potentially leading to unauthorized data access, data manipulation, or disruption of service. The vulnerability affects all deployments running the specified commit or earlier, with no clear indication of fixed versions. The lack of vendor response and patch availability necessitates proactive defensive measures by users. The vulnerability is particularly concerning for organizations relying on RUET OJ for educational or competitive programming environments, where sensitive user data or contest integrity could be compromised.

For European organizations, the impact of this SQL injection vulnerability could be significant, especially for universities, coding bootcamps, or competitive programming platforms using RUET OJ or similar open-source judging systems. Exploitation could lead to unauthorized access to sensitive user data, including personal information and contest submissions, undermining privacy and data protection compliance under GDPR. Integrity of contest results or educational records could be compromised, affecting trust and fairness. Availability could also be impacted if attackers use SQL injection to disrupt database operations or cause denial of service. Given the public availability of exploit code and lack of vendor patching, the risk of attacks targeting European academic institutions or tech companies using this platform increases. The rolling release nature complicates patch management, potentially delaying remediation. Organizations may face reputational damage, regulatory penalties, and operational disruption if the vulnerability is exploited.

1. Immediately implement strict input validation and sanitization on all parameters, especially the 'ID' parameter in /details.php, using parameterized queries or prepared statements to prevent SQL injection. 2. Deploy a Web Application Firewall (WAF) with rules targeting SQL injection patterns to detect and block malicious requests. 3. Monitor database logs and web server logs for unusual query patterns or repeated failed attempts to exploit the vulnerability. 4. If possible, isolate the RUET OJ instance from critical internal networks to limit potential lateral movement. 5. Conduct a thorough code review of the application to identify and remediate other potential injection points. 6. Engage with the community or maintainers to track any forthcoming patches or updates despite the vendor's current non-responsiveness. 7. Consider migrating to alternative, actively maintained online judging platforms with robust security practices if remediation is not feasible. 8. Educate administrators and developers on secure coding practices and the risks of SQL injection. 9. Regularly back up databases and ensure backups are secure and tested for restoration to mitigate data loss from potential attacks. 10. Implement network-level restrictions to limit access to the application to trusted users or IP ranges where possible.