CVE-2025-9413 is a medium severity SQL injection vulnerability affecting the ruoyi-go product developed by lostvip-com, specifically versions up to 2.1 (including 2.0 and 2.1). The vulnerability resides in the SelectListByPage function within the modules/system/system_router.go source file. The flaw arises due to improper handling and sanitization of the input parameters orderByColumn and isAsc, which are used to construct SQL queries. An attacker can manipulate these parameters to inject arbitrary SQL code, potentially altering the intended query logic. This injection can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L/VI:L/VA:L), meaning that while the impact is not total compromise, it can still lead to unauthorized data access or modification and possibly disruption of service. The vendor was notified early but did not respond or provide a patch, and an exploit has been published publicly, increasing the risk of exploitation. Although no known exploits in the wild have been reported yet, the availability of a public exploit raises the likelihood of active attacks in the near future. The vulnerability is classified as medium severity with a CVSS 4.0 score of 5.3, reflecting the moderate risk posed by this flaw. The root cause is insufficient input validation and sanitization in the SQL query construction logic, a common issue in web applications that interface with databases. Attackers exploiting this vulnerability could execute arbitrary SQL commands, potentially leading to data leakage, unauthorized data modification, or denial of service through malformed queries.

For European organizations using ruoyi-go versions 2.0 or 2.1, this vulnerability poses a tangible risk to the security of their systems and data. Given that ruoyi-go is a web application framework or system component, exploitation could allow attackers to access sensitive information stored in backend databases, modify or delete data, or disrupt application availability. This could lead to breaches of personal data protected under GDPR, resulting in regulatory penalties and reputational damage. The remote and unauthenticated nature of the exploit increases the attack surface, especially for internet-facing services. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on ruoyi-go could face operational disruptions or data breaches. The lack of vendor response and absence of official patches means organizations must rely on workarounds or mitigations until a fix is available, increasing exposure time. The medium severity rating suggests that while the impact is not catastrophic, it is significant enough to warrant prompt attention to prevent exploitation and data compromise.

Since no official patch is currently available from the vendor, European organizations should implement immediate compensating controls. These include: 1) Applying strict input validation and sanitization at the application or web server level to filter and block malicious payloads targeting the orderByColumn and isAsc parameters. 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns specific to this vulnerability. 3) Restricting database user permissions to the minimum necessary to limit the potential damage from SQL injection attacks. 4) Monitoring application logs and network traffic for anomalous queries or suspicious activity related to the affected function. 5) Isolating or restricting access to the affected ruoyi-go instances, especially if exposed to the internet. 6) Planning and testing an upgrade or patch deployment as soon as the vendor releases a fix. 7) Conducting security awareness training for developers and administrators about secure coding practices to prevent similar injection flaws. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable parameters and the operational context of ruoyi-go deployments.