Introduction
Attackers with valid credentials can access restricted compliance functions in Chef Automate, potentially exposing sensitive configuration and compliance data. This vulnerability impacts enterprise environments relying on Chef Automate for security and compliance automation, making immediate remediation essential for affected deployments.
About Progress Chef Automate: Progress Chef Automate is a widely adopted infrastructure automation and compliance management platform used by large enterprises to manage configuration, security, and compliance at scale. The product is developed by Progress Software, a major player in enterprise automation, which acquired Chef in 2020. Chef Automate is deployed across thousands of organizations globally, providing critical automation and compliance functions in diverse IT environments.
Technical Information
CVE-2025-8868 is a critical SQL injection vulnerability in the compliance service of Chef Automate. The flaw is present in all versions earlier than 4.13.295 on Linux x86. The vulnerability allows an authenticated attacker to submit improperly neutralized input to SQL commands using well-known authentication tokens. Specifically, the compliance service fails to adequately sanitize user input in certain SQL queries, enabling attackers to inject malicious SQL statements. This can result in unauthorized access to restricted compliance data or manipulation of compliance results.
The root cause is insufficient input validation and lack of parameterization in the construction of SQL queries within the compliance service. Attackers who possess or can obtain well-known or default tokens can exploit this flaw to escalate privileges or extract sensitive information from the backend database. No public code snippets or detailed endpoint information are available at this time.
Affected Systems and Versions
- Product: Progress Chef Automate
- Platform: Linux x86
- Affected Versions: All versions earlier than 4.13.295
- Fixed Version: 4.13.295 and later
- Vulnerable configuration: Any deployment of Chef Automate on Linux x86 prior to 4.13.295
Vendor Security History
Progress Software has previously addressed similar vulnerabilities in Chef Automate and related products. Notable examples include:
- CVE-2023-42658: Input validation flaw in Chef InSpec profile processing
- CVE-2023-40050: Code execution via malicious profile uploads
The vendor typically releases patches promptly and provides detailed advisories. The recurring nature of input validation issues suggests ongoing challenges but also demonstrates a consistent patch response.