Vendure @vendure/core Unauthenticated SQL Injection Vulnerability Summary

Vulnerability Summary: @vendure/core SQL Injection Vulnerability Overview An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. The user-controlled query string parameter is directly concatenated into raw SQL expressions without parameterization or validation, allowing an attacker to execute arbitrary SQL statements. The Admin API is also affected but requires authentication for exploitation. Impact Scope Affected Versions: - >=1.7.4, =3.0.0, =3.6.0, <3.6.2 Fixed Versions: 2.3.4, 3.5.7, 3.6.2 CVSS Score: 9.1/10 (Critical) Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: High Remediation 1. Upgrade Immediately to Fixed Versions: - 2.3.4 - 3.5.7 - 3.6.2 2. Temporary Mitigation (if immediate upgrade is not possible): Add the following code to to validate the input: Replace the existing method in with this code. Invalid values will be silently discarded and the channel’s default language code will be used instead. Technical Details The vulnerability resides in the method, where the value is inserted into a SQL expression via a JavaScript template literal: TypeORM cannot parameterize this value because it is embedded into the SQL string before being passed to the query builder. The value can originate from the HTTP query string and is set directly into the request context for each incoming API request. It is cast at compile time to the TypeScript type , but no runtime validation is performed—the raw query string value is used as-is. Attack Vector An unauthenticated attacker can append a crafted query parameter to any Shop API request to inject arbitrary SQL into the query. No user interaction is required. The vulnerable endpoints are exposed on any default installation of Vendure by default.

Goal Reached Thanks to every supporter — we hit 100%!

Vendure @vendure/core Unauthenticated SQL Injection Vulnerability Summary

More from this source