Full Report
LevelBlue SpiderLabs has discovered a vulnerability in the Orkes Conductor platform (version 5.2.4 | v1.19.12) that allows authenticated attackers to perform time-based blind SQL injection attacks against the backend PostgreSQL database.
Analysis Summary
# Vulnerability: Time-Based Blind SQL Injection in Orkes Conductor
## CVE Details
- CVE ID: CVE-2025-66387
- CVSS Score: Not explicitly provided in the text, but SQL Injection is typically High severity.
- CWE: Likely CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
## Affected Systems
- Products: Orkes Conductor
- Versions: 5.2.4 and v1.19.12
- Configurations: Requires an authenticated attacker. The vulnerability targets the backend PostgreSQL database.
## Vulnerability Description
LevelBlue SpiderLabs discovered a time-based blind SQL injection vulnerability within the Orkes Conductor platform. This flaw exists because the application improperly handles user-supplied input when interacting with the underlying PostgreSQL database, allowing it to be susceptible to SQL command injection. Specifically, the exploit relies on time-based techniques to infer information due to the 'blind' nature of the injection. The issue stems from improper sanitation of input that is used within SQL queries that support bind variables.
## Exploitation
- Status: PoC available (Inferred by disclosure of a specific technical flaw)
- Complexity: Medium (Time-based blind SQLi often requires careful timing/scripting, but relies only on authentication, not complex access.)
- Attack Vector: Network (Authenticated)
## Impact
- Confidentiality: High (Successful exploitation can lead to the extraction of sensitive data from the PostgreSQL database)
- Integrity: High (Attackers can potentially modify or delete database records)
- Availability: Medium (Depending on the extracted queries, impact could range from low to Denial of Service)
## Remediation
### Patches
- The article mentions the discovery and CVE assignment but **does not explicitly list the patched version numbers.** Remediation should involve upgrading to the latest vendor-released version after CVE-2025-66387 is addressed.
### Workarounds
- Implement robust Web Application Firewall (WAF) rules to filter obvious SQL injection payloads.
- Restrict network access to the PostgreSQL database endpoint to only necessary application servers.
- Review and enforce strict authorization and authentication controls for all interfaces leading to the vulnerable component.
## Detection
- Indicators of Compromise: Suspicious long response times or unusually high latency when interacting with specific application endpoints, corresponding to delayed responses caused by `pg_sleep()` or similar time-delay functions used in blind SQLi.
- Detection methods and tools: Monitor database query logs for unusual characters, SQL keywords, or sequences commonly associated with SQL injection attempts. Application Security Monitoring (ASM) tools should flag any time-delay injections.
## References
- Vendor advisories: None explicitly listed with a link, only the discovery blog post URL.
- Relevant links - defanged: hxxps://www.levelblue.com/blogs/spiderlabs-blog/levelblue-spiderlabs-sql-injection-in-orkes-conductor-cve-2025-66387/