Parsl SQL Injection Vulnerability in Visualization Component
Vulnerability
A SQL injection vulnerability has been identified in the visualization component of the Parsl library, specifically in versions prior to 2026.01.05. The issue arises because the application creates SQL queries using unsafe string formatting with user-supplied input directly from URL routes. This vulnerability allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, which could lead to data exfiltration or a denial-of-service condition against the monitoring database.
Impact
Exploitation of this vulnerability allows for arbitrary SQL injection, which could be used to exfiltrate data from the monitoring database or cause a denial-of-service condition by crashing the visualization server or database.
Reproduction
To reproduce this vulnerability, navigate to the 'dag_group_by_states' endpoint of a running 'parsl-visualize' server with monitoring enabled. Inject SQL payloads into the 'workflow_id' parameter to manipulate the SQL query logic. For example, injecting a false condition can disrupt the visualization, while a true condition can restore it.
Remediation
Users can upgrade to Parsl version 2026.01.05 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.