CVE-2025-32389: NamelessMC Vulnerable to SQL Injections in /user/messaging and /panel/users/reports Pages
First published: Fri Apr 18 2025(Updated: )
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Prior to version 2.1.4, NamelessMC is vulnerable to SQL injection by providing an unexpected square bracket GET parameter syntax. Square bracket GET parameter syntax refers to the structure `?param[0]=a¶m[1]=b¶m[2]=c` utilized by PHP, which is parsed by PHP as `$_GET['param']` being of type array. This issue has been patched in version 2.1.4.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| NamelessMC | <2.1.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-32389?
CVE-2025-32389 has a high severity level due to its potential for SQL injection attacks.
How do I fix CVE-2025-32389?
To address CVE-2025-32389, upgrade to NamelessMC version 2.1.4 or later.
What software is affected by CVE-2025-32389?
CVE-2025-32389 affects any versions of NamelessMC prior to 2.1.4.
What type of vulnerability is CVE-2025-32389?
CVE-2025-32389 is classified as an SQL injection vulnerability.
Can CVE-2025-32389 be exploited by attackers?
Yes, CVE-2025-32389 can be exploited by attackers through specially crafted GET parameters.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/author
- agent/event
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/namelessmc
- canonical/namelessmc