CVE-2025-5878

HIGH

ESAPI esapi-java-legacy - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-5878. PoCs published by dickfu.

AI-analyzed exploit summary This repository contains a functional Python-based exploit for CVE-2025-5878, targeting a SQL injection vulnerability in ESAPI's encoder().encodeForSQL() method and OracleCodec() class. The exploit uses time-based blind SQL injection techniques to extract database names, tables, columns, and data.

Description

A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been disclosed to the public. The project was contacted early about this issue and handled it with an exceptional level of professionalism. Upgrading to version 2.7.0.0 is able to address this issue. Commit ID f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by default and any attempt to use it will trigger a warning. And commit ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the misleading Java class documentation to warn about the risks.

Exploits (1)

github WORKING POC

by dickfu · pythonpoc

https://github.com/dickfu/ESAPI-SQLinjection-CVE-2025-5878-Exploit

View Code ZIP pw:eip

This repository contains a functional Python-based exploit for CVE-2025-5878, targeting a SQL injection vulnerability in ESAPI's encoder().encodeForSQL() method and OracleCodec() class. The exploit uses time-based blind SQL injection techniques to extract database names, tables, columns, and data.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: ESAPI 2.2.0.0

Auth required

Prerequisites: valid target URL with vulnerable parameter · authentication cookies

MITRE ATT&CK