A critical-severity security flaw has been discovered in Koha, the widely used open-source library management system. The vulnerability, tracked as CVE-2025-22954, is a SQL Injection vulnerability with a CVSS score of 10.
The vulnerability resides in lateissues-export.pl and allows attackers to inject arbitrary SQL instructions. The vulnerable function, GetLateOrMissingIssues (located in C4/Serials.pm), is susceptible to SQL injection via the supplierid and/or serialid parameters, which are not properly sanitized.
The impact of this vulnerability is significant. It allows:
-
Unauthenticated users to inject SQL instructions in Koha versions 21.11.x and earlier.
-
Authenticated users to inject SQL instructions in Koha versions later than 21.11.x.
SQL injection vulnerabilities can allow attackers to read, modify, or delete sensitive data within the library’s database, potentially leading to data breaches, unauthorized access, and other malicious activities.
To address this critical security issue, Koha version 24.11.02 has been released. It is strongly recommended that all Koha users upgrade to this latest version as soon as possible.
In addition to the SQL Injection fix, Koha 24.11.02 includes several other security enhancements, demonstrating a strong commitment to security:
-
MARC detail and ISBD pages now properly handle suppressed records.
-
Potential unauthorized access has been addressed in public REST routes.
-
ArticleRequestsSupportedFormatsare now enforced server-side. -
CSRF protection has been added to
patron_lists/delete.pl. -
SIP2 now prevents logging passwords.
-
Memory (L1) cache is flushed before API requests.
-
Template::Toolkitfilters are now safer by using RFC3986. -
Circulation returns are no longer vulnerable to reflected XSS.
-
A TT filter using an HTML scrubber has been added.
-
XSS has been fixed in vendor search.
-
Remote Code Execution has been addressed within the Task Scheduler.
Koha users are urged to review the full release notes for a complete list of enhancements and bug fixes.
