CVE-2025-21628

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-21628

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21628.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-21628

Aliases

GHSA-g8f9-hh83-rcq9

Published

2025-01-09T17:10:05.301Z

Modified

2026-02-11T13:49:08.103772Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L CVSS Calculator

Summary

Chatwoot has a Blind SQL-injection in Conversation and Contacts filters

Details

Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. This issue is patched with v3.16.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21628.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ]
}

References

Affected packages

Git / github.com/chatwoot/chatwoot

Affected ranges

Type: GIT
Repo: https://github.com/chatwoot/chatwoot
Events: Introduced

18c5c478367e50250a8b147d52ad2bd69ed4ef49

Fixed

d01c7d3fa759de388bbc5bb6eb2f5407f0300a98

Affected versions

2.*

2.16.1

v2.*

v2.17.0

v2.17.1

v2.18.0

v3.*

v3.0.0

v3.0.0-rc1

v3.1.0

v3.1.1

v3.10.0

v3.10.1

v3.10.2

v3.11.0

v3.11.1

v3.12.0

v3.13.0

v3.14.0

v3.14.1

v3.15.0

v3.2.0

v3.3.0

v3.3.1

v3.4.0

v3.5.0

v3.5.1

v3.5.2

v3.6.0

v3.7.0

v3.8.0

v3.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21628.json"