CVE-2025-7174 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Library System, specifically affecting the /teacher-issue-book.php file. The vulnerability arises from improper handling of the 'idn' parameter, which allows an attacker to inject malicious SQL code remotely without any authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with an attack vector that is network-based and requires no privileges or user interaction. The impact on confidentiality, integrity, and availability is low to medium, but the exploitability is high due to the lack of required authentication and ease of remote exploitation. Although no public exploits are currently known in the wild, the vulnerability has been disclosed publicly, increasing the risk of exploitation. The absence of available patches or mitigations from the vendor further exacerbates the threat. Given the nature of the affected system—a library management platform used potentially in educational institutions—the vulnerability could be leveraged to access sensitive student or staff data, alter records, or disrupt library operations.

For European organizations, particularly educational institutions and libraries using the code-projects Library System 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of personal data, including student and teacher information, violating GDPR regulations and resulting in legal and financial repercussions. Data integrity could be compromised by altering issued book records or user data, undermining trust in institutional systems. Availability impacts, while likely limited, could disrupt library services, affecting academic operations. The remote and unauthenticated nature of the attack vector increases the likelihood of exploitation, especially in environments with internet-facing library management systems. Additionally, the lack of patches means organizations must rely on mitigations or system upgrades, which may delay remediation and increase exposure time.

European organizations should immediately audit their use of the code-projects Library System to identify any deployments of version 1.0. If present, they should isolate the affected systems from public networks or restrict access to trusted internal IP ranges using firewalls or network segmentation. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'idn' parameter can provide temporary protection. Organizations should conduct thorough input validation and parameterized query reviews if they have access to the source code, applying fixes to sanitize inputs properly. Monitoring database logs for unusual queries or access patterns related to the vulnerable endpoint is recommended. If possible, migrating to a newer, patched version or alternative library management software is advised. Additionally, organizations must ensure that backups are current and tested to enable recovery in case of data compromise. Finally, staff training on incident detection and response related to web application attacks should be enhanced.