CVE-2025-61141 is a command injection vulnerability identified in sqls-server/sqls version 0.2.28. The root cause lies in the openEditor function, which invokes the system shell (sh -c) to open a configuration file using the EDITOR environment variable. Because the input from the EDITOR variable and the config file path is not sanitized or validated, an attacker can inject arbitrary shell commands. This vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command). Exploitation does not require authentication or user interaction, and the attack vector is network-based, making it remotely exploitable. The CVSS v3.1 base score is 7.5, reflecting high impact on integrity but no direct impact on confidentiality or availability. Although no known exploits are reported in the wild, the vulnerability poses a serious risk due to its ease of exploitation and potential for arbitrary command execution. The lack of a patch at the time of publication increases the urgency for mitigation. Organizations using sqls-server/sqls for SQL management or database services should prioritize risk assessment and implement temporary controls to restrict environment variable manipulation and shell command execution.

For European organizations, this vulnerability could lead to unauthorized command execution on critical database management systems, potentially allowing attackers to alter or corrupt data, disrupt services, or pivot to other internal systems. The integrity of data managed by sqls-server/sqls could be compromised, affecting business operations, regulatory compliance (such as GDPR), and trustworthiness of information systems. Since the vulnerability does not directly impact confidentiality or availability, data exfiltration or denial-of-service are less likely but cannot be ruled out if attackers leverage the command execution for further attacks. The ease of exploitation without authentication increases the risk of automated or targeted attacks, especially in sectors with high reliance on SQL management tools, such as finance, healthcare, and government. The absence of known exploits currently provides a window for proactive defense but also indicates potential for future exploitation once weaponized.

Immediate mitigation should focus on restricting the ability to control or influence the EDITOR environment variable in environments running sqls-server/sqls. Administrators should audit and harden environment variable settings, ensuring they cannot be manipulated by untrusted users or processes. Until an official patch is released, consider isolating sqls-server/sqls instances in secured network segments with strict access controls to limit exposure. Employ application whitelisting and monitoring to detect unusual shell command executions. Review and restrict shell access permissions for the sqls-server/sqls process. Additionally, implement runtime application self-protection (RASP) or intrusion detection systems (IDS) to identify and block suspicious command injection attempts. Once a patch becomes available, prioritize its deployment and verify the removal of the vulnerability through testing. Regularly update incident response plans to include scenarios involving command injection attacks.