CVE-2025-32389

Name of the Vulnerable Software and Affected Versions NamelessMC versions prior to 2.1.4

Description The issue is related to SQL injection by providing an unexpected square bracket GET parameter syntax. This syntax refers to the structure ?param[0]=a&param[1]=b&param[2]=c utilized by PHP, which is parsed by PHP as $ GET['param'] being of type array.

Recommendations For versions prior to 2.1.4, update to version 2.1.4 to resolve the issue. As a temporary workaround, consider restricting access to API endpoints that utilize the square bracket GET parameter syntax until the update is applied. Avoid using the square bracket syntax in GET parameters for affected versions until the issue is resolved.