LevelBlue SpiderLabs: SQL Injection in Orkes Conductor: CVE-2025-66387

LevelBlue SpiderLabs has discovered a vulnerability in the Orkes Conductor platform (version 5.2.4 | v1.19.12) that allows authenticated attackers to perform time-based blind SQL injection attacks against the backend PostgreSQL database.

Orkes Conductor is a managed workflow orchestration platform used to model complex, distributed microservice and human workflows. The vulnerability arises from improper input validation on the “sort” parameter in the /api/workflow/search endpoint, enabling the injection of crafted SQL expressions directly into backend queries.

Affected Product

• Product: Orkes Conductor
• Version: 5.2.4 (Platform v1.19.12)
• Component: /api/workflow/search
• Database: PostgreSQL
• CVE ID: CVE-2025-66387

Vulnerability Details

The vulnerable endpoint accepts user-controlled input in the “sort” query parameter, which is directly embedded in SQL statements executed on the backend without proper sanitization. While basic filtering is in place to prevent common payloads, LevelBlue researchers successfully bypassed these checks using time-based blind SQL injection techniques.

The following proof-of-concept payload resulted in a deliberate five-second delay in the server’s response, confirming the presence of a time-based SQL injection vulnerability:

?sort=(SELECT 1371 FROM PG_SLEEP(5))

Figure 1. PoC request resulted in a five-second delay in the server’s response.

Another example:

?sort=(SELECT 1 + CASE WHEN (SELECT ASCII(SUBSTRING(datname,1,1)) FROM pg_database LIMIT 1 OFFSET 0) = 112 THEN PG_SLEEP(5) ELSE 0 END)

This payload would trigger a measurable time delay if the first character of the database name matched the ASCII value (e.g., 112 = 'p'), enabling data exfiltration character-by-character.

This technique enabled the enumeration of database names, table names, and column metadata.

Impact

Successful exploitation of this vulnerability allows a remote, authenticated attacker to extract internal PostgreSQL database names and contents.

Depending on deployment and database configuration, the attacker could gain access to confidential application data or orchestrated workflow states.

Root Cause

The core issue lies in unsanitized SQL string construction in dynamic query sorting logic. Application-layer filtering was insufficient to block logical injection chains and failed to use prepared statements or query parameterization.

Remediation

The vulnerability has been addressed by Orkes, and users are recommended to update to the latest version, and to validate and escape all user-supplied inputs and use prepared statements with bind variables.

Timeline

• [Discovery Date]: 09-15-2025
• [Vendor Notified]: 09-19-2025 
• [CVE Assigned]: 11-28-2025
• [Public Disclosure]: 12-18-2025

Credit

This vulnerability was discovered by Timothy Stamopoulos, on behalf of LevelBlue SpiderLabs, during a client engagement.