SQL Injection Vulnerability in huija BicycleSharingServer
CVE-2025-6749

5.3MEDIUM

Key Information:

Vendor: Huija
Status: Bicyclesharingserver
Vendor: CVE Published:; 27 June 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-6749?

A vulnerability has been identified in the huija BicycleSharingServer that involves the searchAdminMessageShow function within AdminController.java. This flaw permits attackers to manipulate the Title argument, leading to potential SQL injection attacks. The vulnerability can be exploited remotely, allowing unauthorized users to access and manipulate database queries. Given that the product does not implement versioning, specific details about the range of affected releases are currently unavailable. Prompt action is recommended to secure systems utilizing this software.

Affected Version(s)

bicycleSharingServer 7b8a3ba48ad618604abd4797d2e7cf3b5ac7625a

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-6749 - Proof of Concept

References

https://vuldb.com/?id.314047

vdb-entrytechnical-description

https://vuldb.com/?ctiid.314047

signaturepermissions-required

https://vuldb.com/?submit.598164

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 27, 2025
👾
Exploit known to exist
Jun 27, 2025
Vulnerability published
Jun 27, 2025
Vulnerability Reserved
Jun 26, 2025

Credit

bi8bu (VulDB User)

Huija