CVE-2025-6904 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Car Rental System, specifically within the /admin/add_cars.php file. The vulnerability arises from improper sanitization or validation of the 'car_name' parameter, which is directly used in SQL queries without adequate protection against injection attacks. This flaw allows an unauthenticated remote attacker to manipulate the 'car_name' input to inject arbitrary SQL commands. Successful exploitation can lead to unauthorized access to the backend database, enabling attackers to read, modify, or delete sensitive data, potentially compromising the confidentiality, integrity, and availability of the system. The vulnerability does not require any authentication or user interaction, increasing its risk profile. Although the CVSS 4.0 base score is 6.9 (medium severity), the exploitability metrics indicate low attack complexity, no privileges required, and no user interaction, which typically elevates the risk. The vulnerability has been publicly disclosed, but no known exploits are currently reported in the wild. The affected product is a niche car rental management system, which may be deployed by small to medium enterprises managing vehicle fleets. The lack of available patches or mitigations from the vendor increases the urgency for organizations to implement compensating controls.

For European organizations using the code-projects Car Rental System 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized data disclosure, including customer information, rental records, and potentially payment details if stored in the database. This could result in violations of GDPR due to data breaches, leading to regulatory fines and reputational damage. Additionally, attackers could alter or delete vehicle inventory data, disrupting business operations and causing financial losses. Since the vulnerability allows remote exploitation without authentication, attackers could leverage it as an entry point into the internal network, potentially pivoting to other critical systems. The impact is particularly severe for organizations relying heavily on this system for daily operations or those lacking robust network segmentation and monitoring. The absence of known exploits in the wild suggests a window of opportunity for proactive mitigation before widespread attacks occur.

Given the absence of official patches, European organizations should immediately implement the following mitigations: 1) Apply strict input validation and sanitization on the 'car_name' parameter at the web application firewall (WAF) or reverse proxy level to block malicious SQL payloads. 2) Employ parameterized queries or prepared statements in the application code to prevent SQL injection, if source code access and modification are possible. 3) Restrict access to the /admin/add_cars.php endpoint by IP whitelisting or VPN-only access to reduce exposure. 4) Monitor database logs and web server logs for unusual query patterns or injection attempts. 5) Conduct regular security assessments and penetration testing focused on injection flaws. 6) Isolate the car rental system within a segmented network zone with limited access to sensitive backend systems. 7) Prepare an incident response plan to quickly address any signs of exploitation. Organizations should also engage with the vendor or community for updates or patches and consider migrating to alternative solutions if remediation is not feasible.