In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade recce to version 1.50.0 or higher.
recce is an Environment diff tool for dbt
Affected versions of this package are vulnerable to External Control of File Name or Path via the query run API when configured with a DuckDB-backed project. An attacker can access or modify local files accessible to the server process, potentially leading to disclosure of sensitive files, tampering with artifacts, modification of static files resulting in stored XSS, or alteration of application files by sending crafted SQL queries that leverage DuckDB filesystem primitives. This is only exploitable if the server is exposed to an untrusted network without authentication.
This vulnerability can be mitigated by enabling authentication, placing the server behind an authenticated reverse proxy or VPN, running the server as a non-root user, using a read-only application filesystem, and ensuring sensitive files or credentials are not accessible to the server process.