OpenReplay SQL Injection Vulnerability in Cards Search Endpoint

A SQL injection vulnerability has been identified in OpenReplay versions prior to 1.20.0. The issue resides in the POST /{projectId}/cards/search endpoint, where the sort.field parameter is not properly validated. This lack of validation allows attacker-controlled input to be directly interpolated into the SQL query's ORDER BY clause, creating a risk of malicious SQL injection.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to execute arbitrary SQL code, potentially leading to unauthorized data access or modification.

Reproduction

To reproduce this vulnerability, send a POST request to the /{projectId}/cards/search endpoint with a crafted sort.field parameter. The parameter can be any string, as it is not validated before being inserted into the SQL query. The injection occurs because the application uses an f-string to interpolate the sort.field value directly into the SQL query, bypassing proper sanitization.

Remediation

Users can upgrade to OpenReplay version 1.20.0 or later, where this vulnerability has been patched.