@adonisjs/lucid Mass Assignment Vulnerability Allowing Internal ORM State Overwrite

A mass assignment vulnerability has been identified in @adonisjs/lucid, an SQL ORM for AdonisJS that uses Knex. This vulnerability exists in versions through 21.8.1 and in pre-release versions of 22.x prior to 22.0.0-next.6. The issue allows remote attackers to overwrite the internal state of the ORM by manipulating data passed into model assignments. This could lead to unauthorized modifications of records or logic bypasses within a model or table.

Impact

Exploitation of this vulnerability allows for unauthorized modification of records and bypassing of application logic, potentially leading to incorrect data handling or validation.

Reproduction

To reproduce this vulnerability, pass unvalidated data or validated data that includes unknown properties into Lucid model assignment methods. This can be done using the 'merge()' or '$consumeAdapterResult()' methods. The vulnerability takes advantage of the 'hasOwnProperty' check used to validate assignment targets, as internal ORM state properties are instance properties and can be manipulated.

Remediation

Upgrade to @adonisjs/lucid versions 21.8.2 or 22.0.0-next.6. Developers can also mitigate this vulnerability by strictly validating model inputs with an allow list that removes unknown keys.