CVE-2025-12914 漏洞修复说明
一、漏洞概述
外部安全平台披露了与宝塔面板相关的 CVE-2025-12914 漏洞信息。 该漏洞出现在旧版本的数据库权限查询逻辑中,由于对输入参数校验不足,可能在特定条件下触发 SQL 注入风险。
该漏洞无法被未授权远程用户直接利用,需要满足较高的权限条件后才可能触发。
二、影响范围
| 面板版本 | 状态 |
|---|---|
| ≤ 11.2.x | 受影响 |
| 11.3.0 起 | 已修复,不受影响 |
三、漏洞利用条件与风险说明
漏洞仅在攻击者已具备以下权限时可能被利用:
- 已登录宝塔面板后台(任意管理员账号)
- 或已获取宝塔面板 API AccessKey(等同后台权限)
在未授权访问的情况下,该漏洞无法触发,因此实际风险有限。
四、修复情况
该问题已在 11.3.0 中完成修复,包括:
- 将字符串拼接的 SQL 查询改为 参数化查询
- 增强输入校验与异常处理
- 完整阻断该类型注入风险
五、修复内容说明(技术细节)
原始代码存在字符串拼接,例如:
users = mysql_obj.query("select Host from mysql.user where User='" + name + "' AND Host!='localhost'")
更新后,已改为参数化写法:
sql = "select Host from mysql.user where User=%s AND Host!='localhost'"
users = mysql_obj.query(sql, param=(name,))
此方式能确保用户输入不会被解释为 SQL 指令,从根源上避免注入。
六、致谢
感谢向我们提交漏洞信息的安全研究人员,对宝塔面板安全改进提供了宝贵帮助。
七、处理建议
建议所有用户升级至 11.3.0 或更新版本。 如暂时无法升级,可采取:
- 限制面板访问来源 IP
- 启用双因素认证
- 检查面板 API 与 MySQL 日志
参考: https://nvd.nist.gov/vuln/detail/CVE-2025-12914
宝塔面板
2025年12月2日
CVE-2025-12914 Vulnerability Fix Description
1. Overview
CVE-2025-12914 is a vulnerability disclosed by external security platforms affecting older versions of the aaPanel / BaoTa Panel product. The issue is related to insufficient input validation in a database-related query, which may lead to a potential SQL injection scenario under specific conditions.
This vulnerability cannot be exploited remotely without authorization and requires elevated privileges to trigger.
2. Affected Versions
| Version | Status |
|---|---|
| ≤ 11.2.x | Affected |
| 11.3.0 and above | Fixed |
3. Exploitation Conditions & Risk
The vulnerability can only be exploited if the attacker has already obtained elevated access, such as:
- A valid login to the BaoTa Panel (any admin role)
- Possession of the Panel's API AccessKey (equivalent to admin access)
As unauthorized external users cannot trigger this flaw, the overall real-world risk remains limited.
4. Fix Status
The issue has been fully resolved in version 11.3.0, including:
- Replacing string-concatenated SQL statements with parameterized queries
- Enhanced input validation
- Improved error handling around database operations
5. Technical Details
The previous implementation constructed SQL statements using string concatenation:
users = mysql_obj.query("select Host from mysql.user where User='" + name + "' AND Host!='localhost'")
This was updated to a safe, parameterized approach in 11.3.0:
sql = "select Host from mysql.user where User=%s AND Host!='localhost'"
users = mysql_obj.query(sql, param=(name,))
Parameterized queries ensure user input is treated strictly as data, preventing SQL injection.
6. Acknowledgements
We sincerely thank the security researcher who reported this vulnerability. Their contribution has helped us improve the overall security of BaoTa Panel.
7. Recommendations
Users are strongly advised to upgrade to version 11.3.0 or later. If an upgrade is temporarily not possible, consider:
- Restricting panel access by IP
- Enabling two-factor authentication
- Reviewing API and MySQL logs for anomalies
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-12914
BaoTa Panel
December 2, 2025