CVE-2025-29085: Vipshop Saturn Console Vulnerable to SQL Injection via ClusterKey Component

April 2, 2025 (updated October 31, 2025)

SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component.

References

gist.github.com/Cafe-Tea/bcef0d7a2bdb5ec8e0d69de852fdc900
github.com/advisories/GHSA-49v8-p6mm-3pfj
github.com/vipshop/Saturn
nvd.nist.gov/vuln/detail/CVE-2025-29085

Code Behaviors & Features

Detect and mitigate CVE-2025-29085 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →