SQL Injection Vulnerability in Synology Drive Server by Synology
CVE-2024-50631

7.5HIGH

Key Information:

Vendor: Synology
Status: Synology Drive Server
Vendor: CVE Published:; 19 March 2025

Summary

An SQL Injection vulnerability exists in the system syncing daemon of Synology Drive Server, which could be exploited by remote attackers to execute unauthorized SQL commands through unspecified vectors. This issue impacts specific versions of the product, emphasizing the need for users to upgrade to the latest versions to mitigate potential risks.

Affected Version(s)

Synology Drive Server *

Synology Drive Server * < 3.5.1-26102

Synology Drive Server * < 3.5.0-26085

References

https://www.synology.com/en-global/security/advisory/Syno...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 19, 2025
Vulnerability Reserved
Oct 28, 2024

Credit

Pumpkin Chang (@u1f383) and Orange Tsai (@orange_8361) from DEVCORE Research Team