CVE-2025-3164

Summary

A vulnerability was found in Tencent Music Entertainment SuperSonic up to 0.9.8. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/semantic/database/testConnect of the component H2 Database Connection Handler. The manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Affected Software

VendorProductVersion RangeStatus
Tencent Music EntertainmentSuperSonic0.9.0affected
Tencent Music EntertainmentSuperSonic0.9.1affected
Tencent Music EntertainmentSuperSonic0.9.2affected
Tencent Music EntertainmentSuperSonic0.9.3affected
Tencent Music EntertainmentSuperSonic0.9.4affected
Tencent Music EntertainmentSuperSonic0.9.5affected
Tencent Music EntertainmentSuperSonic0.9.6affected
Tencent Music EntertainmentSuperSonic0.9.7affected
Tencent Music EntertainmentSuperSonic0.9.8affected

Weaknesses

  • CWE-94: Code Injection
  • CWE-74: Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References