LoopBack connectors SQL injection vulnerability
- Date:
- Security risk: Highly critical
- Vulnerability: SQL Injection
Description
LoopBack allows you to define model properties (including id) as number types. A vulnerability in the implementations of relational database connectors allows an attacker to send specially crafted requests (SQL statements as the value of numbers) resulting in arbitrary SQL execution. This vulnerability can be exploited by anonymous users.
Reported by
David Kirchner
Versions affected
- loopback-connector-postgresql prior to 1.3.0
- loopback-connector-mssql prior to 1.3.0
- loopback-connector-oracle prior to 1.5.0
- loopback-connector-mysql prior to 1.5.0 (The SQL injection is not possible but invalid numbers are treated as NaN).
Solution
Please upgrade your project dependencies to use the latest versions of connectors and run npm update:
- loopback-connector-postgresql@1.3.0
- loopback-connector-mssql@1.3.0
- loopback-connector-oracle@1.5.0
- loopback-connector-mysql@1.5.0
How to report security vulnerabilities?
Please send us an e-mail at callback@strongloop.com.