SQL Injection Affecting knex package, versions <0.6.23>=0.7.0 <0.7.6


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about SQL Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDnpm:knex:20150413
  • published20 Dec 2016
  • disclosed12 Apr 2015
  • creditJorge Godoy

Introduced: 12 Apr 2015

CVE NOT AVAILABLE CWE-89  (opens in a new tab)

How to fix?

Upgrade knex to versions 0.6.23, 0.7.6 or higher.

Overview

knex is a batteries-included SQL query & schema builder for Postgres, MySQL and SQLite3 and the Browser.

Column names are not properly escaped in the postgreSQL dialect. This may allow attackers to craft a query to the host DB and access private information. Writing the following code:

var query = knex.select('id","name').from('test')
console.log(query.toSQL())

Has the following result:

{ method: 'select',
  options: undefined,
  bindings: [],
  sql: 'select "id","name" from "test"' }

CVSS Scores

version 3.1