Ruoyi Go SQL Injection

MEDIUM (6.3) No Patch (113 days)
cwe-74cwe-89aenrichframework-vulnerabilitygoruoyi-gosql-injection

Threat Intelligence

Low Risk
EPSS Score: 0.05% chance of exploitation (percentile: 16%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Ruoyi Go is a Go programming language framework used for building web applications. This vulnerability allows attackers to inject malicious SQL code into the application's database queries, potentially leading to unauthorized access or data tampering.

Am I affected?

You're affected if you use Ruoyi Go version up to 2.1. To check if your instance is vulnerable, run the following command: go mod tidy followed by find . -name "ruoyi.go" and inspect the contents of the modules/system/dao/DictDataDao.go file for suspicious code.

Affected Packages

go: github.com/on-theway/ruoyi

Affected Products

on-theway / Ruoyi Go

How to fix

To fix this vulnerability, upgrade to Ruoyi Go version 2.2 or later. If an immediate update isn't possible:

  1. Restrict network access to your Ruoyi Go instance (firewall it from the public internet).
  2. Audit database queries for suspicious patterns.
  3. Monitor for unauthorized data modifications.

References