feedyour.email - SQL Injection via Search Parameter
Advisory ID: RO-26-003
CVE ID: CVE-2025-XXXX (Pending)
Severity: Critical
Vendor: indirect
Product: feedyour.email
Version: <=2.4.1


Overview #

A SQL Injection vulnerability exists in feedyour.email. The vulnerability allows remote attackers to execute arbitrary SQL commands via the search functionality.


Vulnerability Details #

Affected Versions: <=2.4.1

Root Cause: The search parameter (params[:q]) is passed directly to the SQLite search() function without proper sanitization, allowing attackers to inject malicious SQL commands.

Vulnerable Code: The vulnerability exists in app/controllers/posts_controller.rb where user input is directly passed to the search function:

@posts = @posts.search(params[:q]).to_a



Exploitation Requirements #

    No authentication required.
    Attacker must have access to the search functionality.

Impact #

Remote attackers can exploit this vulnerability to:

    Extract sensitive data from the database.
    Modify or delete database contents.
    Bypass authentication mechanisms.
    Potentially achieve remote code execution depending on database configuration.

Proof of Concept #

Using sqlmap, the search parameter was confirmed vulnerable to SQL injection attacks. Boolean-based blind and UNION-based injections were successfully demonstrated.


Solution #

Upgrade to a patched version of feedyour.email that includes proper input sanitization using character whitelisting.


References #

    GitHub Pull Request #732
    Fix Commit

Timeline:

    [2025-12-29] - Reported
    [2025-12-30] - Fixed

Credits: Omar Kurt