BillaBear SQL Injection Vulnerability in EventRepository

A SQL injection vulnerability has been identified in BillaBear's EventRepository component, affecting all versions prior to January 2026. The vulnerability arises because user-controlled input from metric filter names and aggregation properties is directly inserted into SQL queries using sprintf(), without adequate sanitization or proper quoting of identifiers. While filter values are parameterized, the filter identifiers are not. This flaw allows an authenticated attacker with ROLE_ACCOUNT_MANAGER permissions to execute arbitrary SQL commands, potentially leading to a complete compromise of the application's database.

Impact

Exploitation of this vulnerability allows an authenticated user with ROLE_ACCOUNT_MANAGER permissions to execute arbitrary SQL commands. This could lead to unauthorized access to sensitive data, such as customer information, payment details, and administrative credentials, depending on the injected SQL payload. In a multi-tenant SaaS environment, this vulnerability could also allow access to data from other organizations.

Reproduction

To reproduce this vulnerability, an authenticated user with ROLE_ACCOUNT_MANAGER must create a metric through the application's API. The metric's filter name can include a SQL injection payload, which will be executed when the application's usage calculation processes are triggered, such as during invoice generation or billing cycle updates.

Remediation

To address this vulnerability, BillaBear should implement proper validation and sanitization of metric filter names to prevent SQL injection. This can be achieved by whitelisting acceptable filter name formats or by using parameterized queries that bind filter names as identifiers rather than concatenating them directly into SQL strings.