CVE-2025-32389

Published Apr 18, 2025

Last updated a month ago

CVSS high 8.6

Overview

Description: NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Prior to version 2.1.4, NamelessMC is vulnerable to SQL injection by providing an unexpected square bracket GET parameter syntax. Square bracket GET parameter syntax refers to the structure `?param[0]=a&param[1]=b&param[2]=c` utilized by PHP, which is parsed by PHP as `$_GET['param']` being of type array. This issue has been patched in version 2.1.4.
Source: security-advisories@github.com
NVD status: Analyzed

Risk scores

CVSS 4.0

Type: Secondary
Base score: 8.6
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: HIGH

CVSS 3.1

Type: Primary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM

Weaknesses

security-advisories@github.com: CWE-89

Hype score: Not currently trending

🚨 CVE-2025-32389 🔴 HIGH (8.6) 🏢 NamelessMC - Nameless 🏗️ < 2.1.4 🔗 https://t.co/QZfEwhCCX7 🔗 https://t.co/yB00KZJCxi 🔗 https://t.co/x70gU87RdX #CyberCron #VulnAlert #InfoSec https://t.co/Hygvbf8O4s
@cybercronai
20 Apr 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:namelessmc:nameless:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9BFA390C-E701-41AF-8B59-8A33C2DAC1CE",
            "versionEndExcluding": "2.1.4"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 4.0

CVSS 3.1

Weaknesses

Social media

Configurations

References