CVE-2025-3323 is a SQL Injection vulnerability identified in version 0.8 of the Nimrod software developed by godcheese/code-projects. The flaw exists in the function searchAllByName within the ViewMenuCategoryRestController.java file. Specifically, the vulnerability arises from improper sanitization or validation of the 'Name' argument, which is directly used in SQL queries. This allows an attacker to manipulate the input to inject malicious SQL code. The vulnerability can be exploited remotely without requiring user interaction or authentication, increasing its risk profile. The CVSS 4.0 base score is 5.3, indicating a medium severity level, with attack vector as network (remote), low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is rated as low, suggesting that while exploitation is possible, the extent of damage or data exposure is limited or constrained by the application context. No known exploits are currently observed in the wild, and no patches or fixes have been publicly linked yet. The vulnerability disclosure date is April 6, 2025. The vulnerability's presence in a REST controller suggests it affects web-facing APIs, which could be targeted by automated or manual SQL injection attacks to extract or manipulate backend database information.

For European organizations using Nimrod 0.8, this vulnerability poses a risk of unauthorized access or manipulation of backend databases through SQL injection attacks. Although the CVSS score and impact ratings suggest limited damage potential, exploitation could lead to unauthorized data disclosure, data modification, or denial of service depending on the database's role and the application's criticality. Organizations in sectors with sensitive data—such as finance, healthcare, or government—could face compliance and reputational risks if data integrity or confidentiality is compromised. The remote exploitability without authentication increases the attack surface, especially for publicly accessible Nimrod instances. However, the lack of known active exploits and the medium severity rating indicate that immediate widespread impact is unlikely but should not be ignored. European entities relying on Nimrod for menu or category management in web applications should prioritize assessment and remediation to prevent potential exploitation.

1. Immediate code review and sanitization: Developers should audit the searchAllByName function to ensure proper input validation and parameterized queries or prepared statements are used to prevent SQL injection. 2. Apply patches or updates: Monitor godcheese/code-projects for official patches or updates addressing CVE-2025-3323 and apply them promptly. 3. Web Application Firewall (WAF): Deploy or update WAF rules to detect and block SQL injection patterns targeting the vulnerable endpoint. 4. Access controls: Restrict network access to the Nimrod application, limiting exposure to trusted IPs or internal networks where possible. 5. Logging and monitoring: Enhance logging around the affected API endpoint to detect anomalous query patterns or repeated failed attempts indicative of exploitation. 6. Security testing: Conduct penetration testing focusing on injection flaws in Nimrod to identify any other potential injection points. 7. Incident response readiness: Prepare to respond to potential exploitation attempts by having forensic and remediation plans in place.