CVE-2025-54379— eKuiper API endpoints handling SQL queries with user-controlled table names.

eKuiper API endpoints handling SQL queries with user-controlled table names.

LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. In versions before 2.2.1, there is a critical SQL Injection vulnerability in the getLast API functionality of the eKuiper project. This flaw allows unauthenticated remote attackers to execute arbitrary SQL statements on the underlying SQLite database by manipulating the table name input in an API request. Exploitation can lead to data theft, corruption, or deletion, and full database compromise. This is fixed in version 2.2.1.

N/A

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

LF Edge eKuiper SQL注入漏洞

LF Edge eKuiper是LF Edge开源的一个边缘轻量级物联网数据分析软件。 LF Edge eKuiper 2.2.1之前版本存在SQL注入漏洞，该漏洞源于getLast API功能中存在SQL注入漏洞，可能导致执行任意SQL语句。

N/A

N/A