CVE-2025-21628

Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. This issue is patched with v3.16.0.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 5.3

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/chatwoot/chatwoot/commit/b34dac7bbe3c910186083b680e51aad5ea60b44b	Patch
https://github.com/chatwoot/chatwoot/security/advisories/GHSA-g8f9-hh83-rcq9	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*

History

29 Oct 2025, 14:52

Type	Values Removed	Values Added
CPE		cpe:2.3:a:chatwoot:chatwoot::::::::
Summary		(es) Chatwoot es una suite de interacción con el cliente. Antes de la versión 3.16.0, los endpoints de los filtros de conversación y contacto no depuraban la entrada de query_operator que se pasaba desde el frontend o la API. Esto proporcionaba a cualquier actor autenticado un vector de ataque para ejecutar SQL arbitrario dentro de la consulta de filtro agregando una cláusula WHERE tautológica. Este problema se solucionó con la versión 3.16.0.
References	~~() https://github.com/chatwoot/chatwoot/commit/b34dac7bbe3c910186083b680e51aad5ea60b44b -~~	() https://github.com/chatwoot/chatwoot/commit/b34dac7bbe3c910186083b680e51aad5ea60b44b - Patch
References	~~() https://github.com/chatwoot/chatwoot/security/advisories/GHSA-g8f9-hh83-rcq9 -~~	() https://github.com/chatwoot/chatwoot/security/advisories/GHSA-g8f9-hh83-rcq9 - Patch, Vendor Advisory
First Time		Chatwoot chatwoot Chatwoot

09 Jan 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-09 18:15

Updated : 2025-10-29 14:52

NVD link : CVE-2025-21628

Mitre link : CVE-2025-21628

CVE.ORG link : CVE-2025-21628

JSON object : View

Products Affected

chatwoot

chatwoot

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-21628", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-01-09T18:15:30.070", "references": [{"url": "https://github.com/chatwoot/chatwoot/commit/b34dac7bbe3c910186083b680e51aad5ea60b44b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/chatwoot/chatwoot/security/advisories/GHSA-g8f9-hh83-rcq9", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. This issue is patched with v3.16.0."}, {"lang": "es", "value": "Chatwoot es una suite de interacci\u00f3n con el cliente. Antes de la versi\u00f3n 3.16.0, los endpoints de los filtros de conversaci\u00f3n y contacto no depuraban la entrada de query_operator que se pasaba desde el frontend o la API. Esto proporcionaba a cualquier actor autenticado un vector de ataque para ejecutar SQL arbitrario dentro de la consulta de filtro agregando una cl\u00e1usula WHERE tautol\u00f3gica. Este problema se solucion\u00f3 con la versi\u00f3n 3.16.0."}], "lastModified": "2025-10-29T14:52:40.483", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CDB91EEC-7F68-410A-A5E6-A57EF56E18D4", "versionEndExcluding": "3.16.0", "versionStartIncluding": "2.16.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}