CVE-2025-51092 is a critical SQL Injection vulnerability identified in the LogIn-SignUp project developed by VishnuSivadasVS. The vulnerability arises from unsafe construction of SQL queries within the DataBase.php file, specifically in the logIn() and signUp() functions. These functions directly concatenate user-supplied input and unvalidated table names into SQL queries without employing prepared statements or adequate sanitization. Although a prepareData() function exists, it is insufficient for preventing SQL injection attacks because it does not sanitize the table name parameter, which remains vulnerable to injection. This flaw corresponds to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Exploiting this vulnerability allows an unauthenticated attacker to execute arbitrary SQL commands on the backend database, potentially leading to full compromise of the database confidentiality, integrity, and availability. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation (network vector, no privileges, no user interaction) and the severe impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the vulnerability’s nature and severity make it a high-risk target for attackers once exploit code becomes available.

For European organizations using the LogIn-SignUp project or derivatives thereof, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized data access, including sensitive user credentials and personal data, violating GDPR and other data protection regulations. Attackers could modify or delete data, disrupt authentication mechanisms, or escalate privileges, resulting in service outages and reputational damage. The breach of confidentiality and integrity could trigger regulatory fines and legal consequences. Additionally, the availability impact could disrupt business operations relying on the affected authentication system. Given the critical severity and ease of exploitation, European entities using this software in customer-facing or internal authentication systems are at high risk of data breaches and operational disruption.

To mitigate this vulnerability, organizations should immediately audit their use of the LogIn-SignUp project and identify any instances of the vulnerable DataBase.php implementation. The primary remediation is to refactor the logIn() and signUp() functions to use parameterized prepared statements for all SQL queries, ensuring that user inputs and table names are never directly concatenated into SQL commands. Since table names cannot be parameterized in prepared statements, implement strict whitelisting of allowed table names and validate them against this list before query construction. Additionally, enhance or replace the prepareData() function to include robust input validation and sanitization. Conduct thorough code reviews and penetration testing focused on SQL injection vectors. If patch updates become available from the original developer, apply them promptly. As an interim measure, consider deploying Web Application Firewalls (WAFs) with SQL injection detection rules tailored to this vulnerability’s patterns. Finally, monitor logs for suspicious SQL errors or anomalous query patterns indicative of exploitation attempts.