Cycle Steps Identified as SQL Injection
A recently identified vulnerability is incorrectly identifying certain Cycle test steps as a high severity SQL injection threat.
We have seen several instances of Cycle test steps such as the MOCA connection step being flagged as SQL Injection by some firewalls.
Example
Execution of the step :
Given I connect to MOCA at "<ADDRESS>" logged in as "<USERNAME>" with password "<PASSWORD>"
May display this error below in Cycle even though you are able to confirm MOCA connectivity outside of Cycle:
Your organization's firewall may be reporting a threat detection similar to the one below:
Vulnerability Details
The specific vulnerability that is flagging Cycle as SQL injection is CVE-2025-24799
Additional information about this specific CVE can be found at this link.
Resolution
The Cycle labs Product Development team is working to identify the root cause of this issue.
Our goal is to incorporate a long term fix to Cycle that will prevent this CVE from identifying Cycle steps as attempts at SQL injection.
We will update this article with a Cycle version number and projected release date once we have identified a fix and scheduled the Cycle version release.
In the meantime, your organization's network security team will need to put an override of CVE-2025-24799 in place in order to use the Cycle steps that are flagged as SQL injection.
Depending on the firewall used by you organization, options for overriding the CVE may allow scoping the override to a specific set of IP addresses to only allow devices running Cycle tests to override the CVE threat detection.
We understand that overriding a CVE is not the optimal solution, and we are working diligently to provide the long term solution.
If you have any questions or concerns about this issue or placing an override on the CVE, please reach out to help@cyclelabs.io, and we will assist you as you engage your network security team for resolution.
Related Articles
How to use a SQL query as a Scenario Outline data source
With the enhancements to Scenario Outlines, it is now possible to use multiple sources for test parameter data. Previously, parameters were set in the Feature in an Examples section specified and maintained by the user. The addition of Example Row, ...TLS and SSL Errors With Connection Steps in versions Cycle 2.10+
The Java version shipped with Cycle was updated with the Cycle 2.10 release. As a result, you may receive error message similar to the example messages below when running steps to establish DB connections in Cycle 2.10+: javax.net.ssl.SSLException ...Getting Started with Cycle 2
Log In to Cycle Cloud In order to get started with Cycle 2, you will need to sign up for a Cycle Cloud account, and then download Cycle 2 from Cycle Cloud. The sign up process requires you to verify your email address. Please note, the email address ...How To Configure Your Computer to use Cycle's Native App Steps
Beginning with version 2.4, Cycle adds a new set of steps designed for interacting with native applications on your computer in specifically targeted ways. In order to use these steps, you will need to take the following steps on your machine: Step ...How to make better xpaths for web tests.
Problem My web-based steps in Cycle are not finding the elements I want them to, or finding the wrong elements and giving me false-positives. Solution When possible, it is best to define elements to interact with on a web page by a static value that ...