New API SQL LIKE Wildcard Injection Vulnerability in Token Search Endpoint Allowing Denial-of-Service

A SQL LIKE wildcard injection vulnerability has been identified in the New API's token search endpoint (/api/token/search) prior to version 0.10.8-alpha.10. This vulnerability allows authenticated users to cause a denial-of-service condition by crafting malicious search patterns that exploit the SQL LIKE clause. The injected patterns can trigger resource-intensive database queries, leading to application performance degradation. The issue arises because the endpoint does not properly escape wildcard characters in user-supplied 'keyword' and 'token' parameters, allowing for injection of patterns that exhaust server resources.

Impact

Exploitation of this vulnerability leads to a significant degradation of application performance, causing memory exhaustion and blocking or delaying legitimate user requests. The database becomes overwhelmed with slow queries, and there is a spike in CPU usage, particularly when processing large result sets. In some cases, this can cause the application to crash or exhaust the database connection pool.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the /api/token/search endpoint with crafted 'keyword' and 'token' parameters that include unescaped SQL LIKE wildcards. This can be done manually or automated using a script that sends multiple concurrent requests. After the vulnerability is triggered, the application will struggle to process the influx of requests, leading to a degradation of service.

Remediation

Users can update to New API version 0.10.8-alpha.10 or later, where this vulnerability has been patched. The patch includes input validation to sanitize search patterns, preventing the injection of malicious wildcard sequences. Additionally, the updated version implements pagination and per-user search rate limiting to further mitigate the risk of resource exhaustion.