CVE-2025-58448

rAthena · MMORPG Server

A SQL injection vulnerability in the PartyBooking component of the rAthena MMORPG server allows unauthorized database manipulation via the WorldN parameter.

Executive summary

A critical SQL injection vulnerability in the rAthena MMORPG server allows unauthenticated attackers to compromise the underlying database.

Vulnerability

This vulnerability consists of a SQL injection flaw located within the PartyBooking component. An unauthenticated attacker can exploit this by injecting malicious SQL queries into the WorldN parameter.

Business impact

Successful exploitation of this vulnerability could lead to unauthorized access, modification, or deletion of sensitive game server data, including user accounts and credentials. Given the CVSS score of 9.1, this flaw presents a critical risk to the integrity and availability of the server infrastructure, potentially resulting in complete system compromise.

Remediation

Immediate Action: Update the rAthena server software to the latest version or apply the fix provided in commit 0d89ae0 immediately.

Proactive Monitoring: Review server access and database logs for anomalous SQL query patterns or unexpected database errors originating from the PartyBooking module.

Compensating Controls: Implement a Web Application Firewall (WAF) or database-level input validation to sanitize traffic directed at the PartyBooking component until the patch can be applied.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of this SQL injection vulnerability necessitates immediate attention to prevent unauthorized database access. Administrators must prioritize updating the rAthena server instance to the latest commit to mitigate the risk of data exfiltration or total system compromise.