feedyour.email 2.4.1 SQL Injection
feedyour.email - SQL Injection via Search Parameter
Advisory feedyour.email 2.4.1 SQL Injection
feedyour.email - SQL Injection via Search Parameter
Advisory ID: RO-26-003
CVE ID: CVE-2025-XXXX (Pending)
Severity: Critical
Vendor: indirect
Product: feedyour.email
Version: <=2.4.1
Overview #
A SQL Injection vulnerability exists in feedyour.email. The vulnerability allows remote attackers to execute arbitrary SQL commands via the search functionality.
Vulnerability Details #
Affected Versions: <=2.4.1
Root Cause: The search parameter (params[:q]) is passed directly to the SQLite search() function without proper sanitization, allowing attackers to inject malicious SQL commands.
Vulnerable Code: The vulnerability exists in app/controllers/posts_controller.rb where user input is directly passed to the search function:
@posts = @posts.search(params[:q]).to_a
Exploitation Requirements #
No authentication required.
Attacker must have access to the search functionality.
Impact #
Remote attackers can exploit this vulnerability to:
Extract sensitive data from the database.
Modify or delete database contents.
Bypass authentication mechanisms.
Potentially achieve remote code execution depending on database configuration.
Proof of Concept #
Using sqlmap, the search parameter was confirmed vulnerable to SQL injection attacks. Boolean-based blind and UNION-based injections were successfully demonstrated.
Solution #
Upgrade to a patched version of feedyour.email that includes proper input sanitization using character whitelisting.
References #
GitHub Pull Request #732
Fix Commit
Timeline:
[2025-12-29] - Reported
[2025-12-30] - Fixed
Credits: Omar Kurt