Full Report
LevelBlue SpiderLabs has discovered a vulnerability in the Orkes Conductor platform (version 5.2.4 | v1.19.12) that allows authenticated attackers to perform time-based blind SQL injection attacks against the backend PostgreSQL database.
Analysis Summary
# Vulnerability: Time-Based Blind SQL Injection in Orkes Conductor
## CVE Details
- CVE ID: CVE-2025-66387
- CVSS Score: Determined to be **High** based on typical SQLi impact, specific score not provided in text.
- CWE: Not explicitly listed, but it is an SQL Injection (CWE-89).
## Affected Systems
- Products: Orkes Conductor
- Versions: 5.2.4 | v1.19.12
- Configurations: Requires the attacker to be authenticated. Impacts the backend PostgreSQL database.
## Vulnerability Description
LevelBlue SpiderLabs discovered a time-based blind SQL Injection vulnerability within the Orkes Conductor platform. This flaw allows an authenticated attacker to inject malicious SQL queries into parameters used by the backend system, specifically targeting the PostgreSQL database. Since the attack is time-based blind, the SQL injection does not return data directly but relies on inducing time delays to infer information from the database one bit at a time.
## Exploitation
- Status: PoC available (Implied by official discovery and reporting, though direct PoC link is not provided)
- Complexity: Medium (Requires authentication and knowledge of blind SQLi techniques)
- Attack Vector: Network (Assumed, as it targets a platform accessible over the network)
## Impact
- Confidentiality: High (Potential for full data exfiltration from the PostgreSQL database)
- Integrity: High (Potential for data modification or corruption)
- Availability: Medium (Potential for denial of service through resource exhaustion or database manipulation)
## Remediation
### Patches
- Users are recommended to update to the latest version of Orkes Conductor that addresses this issue. (Specific fixed version not provided in summary text).
### Workarounds
- Validate and escape all user-supplied inputs.
- Use prepared statements with bind variables when interacting with the PostgreSQL database.
## Detection
- **Indicators of Compromise:** Look for unusual time delays in application response logs corresponding to user input submissions, especially if input seems to trigger database interaction.
- **Detection methods and tools:** Monitor SQL queries generated by the application for unusual patterns, syntax errors, or overly long execution times indicative of time-based payloads (e.g., `pg_sleep()`).
## References
- Vendor Advisories: Information regarding the patch and disclosure timeline is available from LevelBlue SpiderLabs.
- Relevant links - defanged:
- `levelblue.com/blogs/spiderlabs-blog/levelblue-spiderlabs-sql-injection-in-orkes-conductor-cve-2025-66387/`