CVE-2018-25165: SQL Injection in Galaxy Forces MMORPG 0.5.8
A SQL injection vulnerability originally identified in 2018 has been formally assigned and catalogued in the NVD database as CVE-2018-25165, with a CVSS score of 7.1 (High). The flaw resides in Galaxy Forces MMORPG version 0.5.8, an open-source browser-based massively multiplayer online role-playing game.
The vulnerability allows authenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the type parameter of the ads.php endpoint, potentially exposing sensitive database contents including user credentials, account data, and game state information.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2018-25165 |
| CVSS Score | 7.1 (High) |
| CWE Classification | CWE-89 — SQL Injection |
| Affected Software | Galaxy Forces MMORPG 0.5.8 |
| Attack Vector | Network |
| Authentication Required | Yes (authenticated attacker) |
| NVD Published | March 6, 2026 |
| Original Flaw Discovery | 2018 |
Technical Details
The vulnerability exists in ads.php, where the type parameter value is passed directly into a SQL query without adequate sanitization or parameterization. An authenticated user with access to the application can craft a POST request with a malicious SQL payload embedded in the type parameter, causing the underlying database to execute unintended queries.
Example attack surface:
POST /ads.php
type=<malicious SQL payload>
Successful exploitation can allow an attacker to:
- Extract database contents — user account data, credentials, game records
- Enumerate database structure — table names, column names, schema details
- Read sensitive configuration — if the database user has
FILEprivileges, server-side files may be accessible - Modify game data — depending on the SQL injection type and database user privileges
Context and Impact
Galaxy Forces MMORPG is an open-source project and is unlikely to be running in large-scale production deployments in 2026. The late NVD publication of this 2018 flaw reflects the ongoing effort to formally catalogue and assign CVE identifiers to older vulnerabilities, ensuring they appear in vulnerability management databases and scanner signatures.
Who is affected:
- Self-hosted instances of Galaxy Forces MMORPG 0.5.8 — primarily hobbyist or legacy installations
- Any derivative forks that may have incorporated the affected
ads.phpcode without remediation
Practical risk: Given the age and limited adoption of this software, the real-world exposure is likely low. However, SQL injection vulnerabilities in any web-accessible application carry inherent risk, and any running instances should be patched or decommissioned.
Remediation
- Upgrade or decommission — if running Galaxy Forces MMORPG 0.5.8, update to a patched version or take the installation offline if no longer actively maintained
- Apply parameterized queries — any custom deployments or forks should refactor
ads.phpto use prepared statements rather than direct string interpolation in SQL queries - Restrict authentication — limit access to the application to trusted IP ranges if public decommissioning is not immediately feasible
- WAF rules — deploy web application firewall rules to detect and block SQL injection patterns against the affected endpoint
Secure coding pattern:
// Vulnerable pattern
$type = $_POST['type'];
$query = "SELECT * FROM ads WHERE type = '$type'";
// Secure pattern — parameterized query
$stmt = $pdo->prepare("SELECT * FROM ads WHERE type = ?");
$stmt->execute([$_POST['type']]);Key Takeaways
- CVE-2018-25165 is a SQL injection flaw in Galaxy Forces MMORPG 0.5.8, now formally catalogued in NVD with CVSS 7.1 (High)
- Authenticated attackers can extract arbitrary database contents via the
typeparameter inads.php - Limited production exposure — the software is open-source with low adoption; risk is primarily relevant to legacy or self-hosted instances
- Remediation: Update, decommission, or refactor to use parameterized queries