SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) · Advisory · saltcorn/saltcorn · GitHub

SQL Injection Vulnerability Summary Vulnerability Overview Vulnerability Name: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) Vulnerability Type: SQL Injection Severity: Critical (10.0 / 10) CVE ID: CVE-2025-41478 CVSS v3 Base Metrics: - Attack vector: Network - Attack complexity: Low - Privileges required: Low - User interaction: None - Scope: Changed - Confidentiality: High - Integrity: High - Availability: High Impact Scope Affected Versions: v1.4.5 Fixed Versions: 1.4.6, 1.5.6, 1.6.0-beta.5 Affected Components: Saltcorn's mobile-sync endpoints Affected Users: Any authenticated low-privilege users in Saltcorn deployments where the affected mobile-sync routes are exposed Potential Impacts: - Full database leakage (including password hashes, configuration keys, application data, and schema information) - On certain backends, this vulnerability may also allow write operations, schema modifications, or destructive actions Remediation Upgrade Version: Upgrade to 1.4.6, 1.5.6, 1.6.0-beta.5 or later Vulnerability Details Vulnerability Description: Saltcorn's mobile-sync routes allow any authenticated low-privilege user with read access to inject arbitrary SQL on at least one table. This can lead to full database leakage, including administrator password hashes and configuration keys, and may enable database modification or destruction depending on the backend. Affected Endpoints: - POST /sync/load_changes - POST /sync/deletes Root Cause of Vulnerability: User-controlled values are directly interpolated into SQL template literals from the request body without parameterization, type enforcement, or sanitization. In particular, is embedded into SQL, and timestamp-derived values are similarly interpolated. Relevant Vulnerable Code Paths: - - - - - - route handler Underlying Root Cause: Values are treated as trusted SQL fragments rather than bound parameters. Although sanitize() isNumeric()`, numeric validation, or prepared statement binding before these values are concatenated into the query string. Proof of Concept (PoC) Exploitation Method: Based on the provided report, the issue can be reproduced by authenticating as a regular user, sending a crafted request to the affected sync endpoint, and placing malicious SQL expressions in the sync metadata fields. These expressions are then interpolated into the backend query. Successful exploitation will return attacker-chosen database content in the sync response.

Goal Reached Thanks to every supporter — we hit 100%!

SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) · Advisory · saltcorn/saltcorn · GitHub

More from this source