CVE-2025-6738

Name of the Vulnerable Software and Affected Versions: huija bicycleSharingServer up to 7b8a3ba48ad618604abd4797d2e7cf3b5ac7625a

Description: A critical vulnerability has been found in the huija bicycleSharingServer, affecting the function userDao.selectUserByUserNameLike of the file UserServiceImpl.java. The manipulation of the argument Username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continuous delivery, and therefore, no version details for affected nor updated releases are available.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the userDao.selectUserByUserNameLike function until a patch is available. Restrict access to the UserServiceImpl.java file to minimize the risk of exploitation. Avoid using the Username argument in the affected function until the issue is resolved.