CVE-2025-29085: 
Java vulnerability analysis and mitigation

SQL injection vulnerability discovered in vipshop Saturn version 3.5.1 and earlier versions, identified as CVE-2025-29085. The vulnerability was disclosed on April 2, 2025, affecting the Saturn application's dashboard component. This security flaw allows remote attackers to execute arbitrary code through the /console/dashboard/executorCount?zkClusterKey component (NVD).

The vulnerability exists in the DashboardController class of Saturn's console component. The executorCount method, which handles GET requests to /console/dashboard/executorCount, accepts an unvalidated zkClusterKey parameter. This parameter is directly concatenated into SQL queries within the getExecutorHistory method, leading to SQL injection possibilities. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity with potential for complete system compromise (NVD, GitHub POC).

The SQL injection vulnerability allows remote attackers to execute arbitrary code, potentially leading to complete system compromise. The critical CVSS score of 9.8 indicates severe potential impact on system confidentiality, integrity, and availability (NVD).

Users should upgrade to a version newer than Saturn v3.5.1 once available. No official patch or workaround has been published at the time of this report.