Jorani v1.0.4 Authenticated SQL Injection Vulnerability (CVE-2025-67102)

Critical Vulnerability Information CVE ID: CVE-2025-67102 Product: Jorani Severity: High Affected Versions: ≤ v1.0.4 Fixed Version: Not Fixed Disclaimer As of publication, no fix, patch, or official mitigation is available for this vulnerability. The project maintainers have acknowledged the issue but stated they will not implement a fix, as the project is being archived. Organizations relying on this software should treat this vulnerability as permanent and evaluate alternative solutions or isolation measures. Vulnerability Overview Jorani is an open-source, web-based leave management and overtime tracking system designed to help organizations manage employee absences, approvals, and human resources workflows in a simple and lightweight manner. Vulnerability Issue A high-risk vulnerability was discovered in the latest development branch (v1.0.4) and main branch of the Jorani project. An authenticated SQL injection flaw allows employees to extract, modify, or delete database content. Timeline Technical Details The function directly concatenates the parameter into an SQL query, leading to an SQL injection vulnerability. For example, the route calls the function, which passes the parameter from HTTP GET parameters into the function call, ultimately injecting it into the vulnerable function. Example Request Resources GitHub Project

Goal Reached Thanks to every supporter — we hit 100%!

Jorani v1.0.4 Authenticated SQL Injection Vulnerability (CVE-2025-67102)