SQL Injection Vulnerability in Chatwoot Customer Engagement Suite
CVE-2025-21628

Currently unrated

Key Information:

Vendor: Chatwoot
Status: Chatwoot
Vendor: CVE Published:; 9 January 2025

What is CVE-2025-21628?

In prior versions of the Chatwoot customer engagement suite, specifically before 3.16.0, the conversation and contact filters endpoints failed to properly sanitize input for the query_operator received from both the frontend and the API. This vulnerability allowed authenticated users to execute arbitrary SQL commands within filter queries by injecting tautological WHERE clauses, potentially compromising the integrity and confidentiality of the application's database. Chatwoot has addressed and patched this issue in version 3.16.0.

References

https://github.com/chatwoot/chatwoot/commit/b34dac7bbe3c9...

https://github.com/chatwoot/chatwoot/security/advisories/...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 9, 2025