CVE-2025-21628: SQL Injection Vulnerability in Chatwoot Prior to v3.16. and its Mitigation

Chatwoot is a popular open-source customer engagement suite widely used for efficient customer communication management. Security researchers have recently identified an SQL injection vulnerability in Chatwoot. This vulnerability was assigned the CVE number CVE-2025-21628. As per the official reports, this vulnerability was found to affect Chatwoot installations prior to version 3.16., in particular, conversation and contact filters endpoints. This post serves to explain this CVE-2025-21628 vulnerability, its risks, and the steps taken to mitigate it.

Vulnerability: CVE-2025-21628

The reported SQL injection vulnerability allowed an authenticated attacker to execute arbitrary SQL queries by adding a tautological WHERE clause. This was primarily made possible due to insufficient input validation of the query_operator parameter used in the conversation and contact filter endpoints.

Nature of the Vulnerability

When the query_operator is not sanitized or properly checked against the input from the frontend or the API, an attacker can potentially craft and inject malicious SQL queries. This could result in unauthorized access to sensitive information, alteration of important data, loss of data integrity, and even complete control over the backend database in extreme cases.

The following code snippet demonstrates the attack vector in action

POST /api/v1/conversations/search
Content-Type: application/json
{
"query_operator": "OR \"1\"=\"1\"",
"query": "do_not_reply@example.com"
}

By inserting a tautological WHERE clause, the attacker can force the query to return all records of the corresponding table, regardless of the intended filter conditions.

Official References & Changelog

The issue was fixed in version 3.16., as mentioned in the official Changelog: https://github.com/chatwoot/chatwoot/blob/develop/CHANGELOG.md
Details of the patch applied to resolve this vulnerability can be found within the corresponding GitHub Pull Request: https://github.com/chatwoot/chatwoot/pull/3468

Mitigation

To mitigate this SQL injection vulnerability, users must upgrade their Chatwoot installations to version 3.16. or later. It is important to perform regular security audits on your software and keep it up-to-date to ensure that the latest security patches are enforced and you remain protected from known vulnerabilities.

Conclusion

Security is a crucial aspect of every software product, and it is essential to identify vulnerabilities and provide patches promptly. CVE-2025-21628 outlines a SQL injection vulnerability in Chatwoot, but fortunately, this vulnerability was mitigated with the release of version 3.16.. Therefore, it is highly recommended to update your Chatwoot installations as soon as possible, ensuring the protection of your sensitive data and reducing the risk of unauthorized access.

Timeline

Published on: 01/09/2025 18:15:30 UTC