CVE-2025-54379 | THREATINT

Description

LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. In versions before 2.2.1, there is a critical SQL Injection vulnerability in the getLast API functionality of the eKuiper project. This flaw allows unauthenticated remote attackers to execute arbitrary SQL statements on the underlying SQLite database by manipulating the table name input in an API request. Exploitation can lead to data theft, corruption, or deletion, and full database compromise. This is fixed in version 2.2.1.

PUBLISHED Reserved 2025-07-21 | Published 2025-07-24 | Updated 2025-07-25 | Assigner GitHub_M

HIGH: 8.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

< 2.2.1

affected

References

github.com/...kuiper/security/advisories/GHSA-526j-mv3p-f4vv exploit

github.com/...kuiper/security/advisories/GHSA-526j-mv3p-f4vv

github.com/...ommit/72c4918744934deebf04e324ae66933ec089ebd3

cve.org (CVE-2025-54379)

nvd.nist.gov (CVE-2025-54379)

Download JSON