CVE-2025-50983: 
NixOS vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-50983) was discovered in readarr version 0.4.15.2787, specifically in the sortKey parameter of the GET /api/v1/wanted/cutoff API endpoint. The vulnerability was disclosed on August 27, 2025, affecting the readarr application's backend SQLite database (NVD).

The vulnerability stems from improper sanitization of user-supplied input in the sortKey parameter, enabling attackers to inject and execute arbitrary SQL commands against the backend SQLite database. The vulnerability was confirmed exploitable using sqlmap, which demonstrated the ability to execute stacked queries. Technical validation included successful execution of time-based payloads using SQLite's RANDOMBLOB() and HEX() functions. The vulnerability has received a CVSS v3.1 base score of 8.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L (NVD).

The vulnerability allows attackers to execute arbitrary SQL commands against the backend SQLite database, potentially leading to unauthorized access to sensitive data, manipulation of database contents, and partial system disruption. The high CVSS score indicates significant potential for both confidentiality and integrity breaches (NVD).