SQL Injection Vulnerability in Chef Automate by Chef Software
CVE-2025-8868

9.8CRITICAL

Key Information:

Vendor: Progress Software
Status: Chef Automate
Vendor: CVE Published:; 29 September 2025

🔔 Create Progress Software Vulnerability Alert

What is CVE-2025-8868?

In Chef Automate, versions prior to 4.13.295, an authenticated attacker can exploit a SQL injection vulnerability in the compliance service. This allows unauthorized access to restricted functions through improperly sanitized inputs in SQL commands, leveraging well-known tokens. Organizations using vulnerable versions should prioritize updating to mitigate potential risks.

Affected Version(s)

Chef Automate Linux 0 < 4.13.295

References

https://docs.chef.io/release_notes_automate/#4.13.295

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 29, 2025
Vulnerability Reserved
Aug 11, 2025

Credit

This vulnerability was discovered by XBOW.

JSON