cat churchcrm-sqli-cve-2025-67877.md
From Code Analysis to CVE: Uncovering SQL Injection in ChurchCRM (CVE-2025-67877)
Technical walkthrough of identifying, exploiting, and responsibly disclosing a SQL Injection vulnerability in ChurchCRM (CVE-2025-67877).
Overview
CVE-2025-67877 is a high-severity SQL Injection vulnerability discovered in the open-source church management system ChurchCRM. This issue stems from improper handling of user input in the application’s codebase, allowing an attacker to inject arbitrary SQL into database queries and exfiltrate sensitive data.
The Discovery: A Late-Night Code Hunt
When diving into a new codebase, the goal isn’t just to read lines of code; it’s to map the boundaries of developer trust. You are constantly looking for that one specific moment where a developer assumed an input was safe, but forgot to actually enforce it. I took this mindset into a recent white-box audit of ChurchCRM. It’s a fascinating target: trusted to manage the highly sensitive personal data of thousands of organizations, yet structurally anchored by legacy PHP patterns that often hide critical flaws. My objective was clear: hunt for ‘sinks’—those precise junctions where user-controlled variables meet the database execution layer without protection.
While tracing the logic within CartToFamily.php, an anomaly jumped off the screen. While almost every other parameter was safely wrapped in a standard filtering utility, PersonAddress stood alone, nakedly concatenated into a raw SQL query. It was one of those rare ‘wait, did I just read that right?’ moments. I immediately spun up my local Docker environment, caught the request in Burp Suite, and injected a single quote (’). The application didn’t just fail gracefully; it bled a raw, verbose database error. In that instant, I knew I wasn’t just looking at a minor bug—I was staring at an open gateway to the entire backend database.
Target and Context
ChurchCRM is an open-source application used by organizations to manage member information, donations, and events. Its public source code makes it a viable target for white-box audits, where an analyst can manually inspect logic flaws and risky constructs across the codebase.
Methodology
The vulnerability was found through manual source code review, following a methodical approach:
- Input Vector Identification – Files and endpoints that accept user input (especially
POSTparameters) were mapped. - Sanitization Tracing – Observed how those inputs were processed before being used in database queries.
- Bypass Analysis – Isolated input paths where sanitization was insufficient or inconsistent with best practices.
This process revealed that automated tooling often misses contextual flaws that only a human analysis can detect, reinforcing the value of manual inspection.
CVE-2025-67877 — SQL Injection: Data Exfiltration and Application Compromise
Vulnerability Class
CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Vulnerable Code Pattern
The SQL Injection flaw was located in the file CartToFamily.php within ChurchCRM’s source. While many input fields are filtered using an input utility, the PersonAddress parameter was concatenated directly into the SQL query string without proper type enforcement or prepared statements.
Below is a simplified illustration of the problematic logic:
// Illustrative snippet of vulnerable logic
$sAddress1 = InputUtils::LegacyFilterInput($_POST['PersonAddress']);
// Unsafe concatenation into SQL query
$sSQL = "SELECT * FROM family_fam WHERE fam_Address1 = '" . $sAddress1 . "'";
This pattern allows special characters in the PersonAddress input to manipulate SQL syntax because the legacy filter did not enforce strict sanitation.
Exploitation (Proof of Concept - PoC)
To validate the vulnerability in a controlled environment:
- Laboratory Setup: Docker + ChurchCRM instance
- Tools: Burp Suite Professional for interception
- Database: MySQL backend
The following HTTP request illustrates exploitation via SQL Injection:
POST /CartToFamily.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
PersonAddress=MainSt' UNION SELECT 1,database(),3,4,5 -- -
Upon injection, the target responded with content reflecting query results from the manipulated database query, including information like the current database name — confirming successful SQL Injection.
Impact
Successful exploitation of this vulnerability allows:
- Unauthorized exfiltration of sensitive parish and member data.
- Exposure of database structure, credentials, and internal values.
- Full compromise of application confidentiality and integrity.
Given the nature of the data ChurchCRM typically manages, this risk is considered high severity.
Remediation
To remediate this issue, avoid direct string concatenation in SQL queries. Instead, use prepared statements (parameterized queries), which separate SQL logic from user input.
Secure Example (PHP PDO)
// Secure prevention using prepared statements
$stmt = $pdo->prepare("SELECT * FROM family_fam WHERE fam_Address1 = :address");
$stmt->execute(['address' => $sAddress1]);
$result = $stmt->fetchAll();
Prepared statements ensure the database treats input as data only, eliminating SQL interpretation risk.
The fix was incorporated into ChurchCRM version 6.5.3 and later.
Conclusion and Key Takeaways
The discovery of CVE-2025-67877 emphasizes the importance of manual source code review in vulnerability research, especially for web applications with complex logic flows. Automated scanners provide value, but human insight remains critical to identifying contextual flaws like SQL Injection in real-world codebases.
Security practitioners should prioritize:
- Use of parameterized queries across all database access layers.
- Rigorous input validation tied to the exact SQL usage context.
- Regular code audits beyond automated tooling.
Combining these practices helps ensure robust defenses against SQL Injection and similar injection-based attacks.
References
- The National Vulnerability Database entry for CVE-2025-67877 provides the official vulnerability description and severity.
- Original Medium article explaining methodology and exploitation details.