CVE-2022-2422: Feathers js library SQL Injection vulnerability via improper input validation with feathers-sequelize
CVE-2022-2422 is a critical vulnerability discovered in the Feathers js library, a popular open-source framework for building real-time applications and REST APIs. This vulnerability specifically impacts projects that use the feathers-sequelize package, which is commonly used as a database adapter for Feathers applications leveraging the Sequelize library for interacting with SQL databases. Due to inadequate input validation, an attacker can exploit this vulnerability to perform a SQL injection attack on the connected back-end database, potentially leading to unauthorized data access, modification, or deletion.
In this extensive post, we'll cover the details of this vulnerability, the affected versions, the steps to reproduce the vulnerability, and the recommended mitigation practices. We'll also provide code snippets and links to the original references to help readers better comprehend this critical security issue.
Exploit Details
This vulnerability stems from the improper input validation in the Feathers js library when handling certain incoming requests in applications that use the feathers-sequelize package. As a result, an attacker can craft malicious SQL queries that exploit this weakness to access, modify or delete records in the back-end SQL databases.
The following code snippet demonstrates the primary cause of this vulnerability in a typical Feathers application with the feathers-sequelize package:
// Inside a typical app.js file with Feathers and Sequelize
const app = require('feathers')();
const Sequelize = require('sequelize');
const sequelize = new Sequelize('database', 'username', 'password');
const feathers_sequelize = require('feathers-sequelize');
const User = sequelize.define('user', {
username: {
type: Sequelize.STRING,
},
password: {
type: Sequelize.STRING,
},
});
app.use('/users', feathers_sequelize({Model: User}));
// This is where the vulnerability can be exploited
app.get('/users', (req, res) => {
app.service('users').find({ query: req.query }).then((data) => {
res.json(data);
});
});
As shown in this example, the /users endpoint can be potentially exploited to attack the SQL database due to improper input validation.
To reproduce the vulnerability, an attacker can use the following steps
1. Set up a vulnerable Feathers application with the Sequelize integration, as shown in the earlier code snippet.
2. Send a malicious HTTP GET request with crafted query parameters to exploit the SQL injection vulnerability.
For example, an attacker could send the following request to enumerate all users in the connected SQL database:
GET /users?username=test' OR '1'='1
To mitigate this vulnerability, it is recommended to perform the following steps
1. Upgrade to Feathers js library version 4.x or higher to take advantage of improved security features.
2. Use proper input validation mechanisms to ensure that malicious SQL queries are not executed on the back-end databases, such as utilizing prepared statements and parameterized queries.
Original References
1. CVE-2022-2422 - Official CVE entry confirmation.
2. Feathers js GitHub repository - Information and updates on the Feathers js library.
Conclusion
CVE-2022-2422 represents a critical SQL injection vulnerability that can be exploited in Feathers applications using the feathers-sequelize package. By properly performing input validation and upgrading to the latest Feathers js version, developers can mitigate the risks associated with this vulnerability and secure their applications against potential attacks.
Timeline
Published on: 10/26/2022 10:15:00 UTC
Last modified on: 02/28/2023 19:06:00 UTC