Ory Hydra SQL Injection Vulnerability in Admin APIs via Forged Pagination Tokens

A SQL injection vulnerability has been identified in Ory Hydra, an OAuth 2.0 Server and OpenID Connect Provider, prior to version 26.2.0. The issue affects the Admin APIs listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers, all of which are vulnerable due to improper pagination implementation. Pagination tokens can be encrypted using a secret defined in secrets.pagination. If this secret is not set, the default is secrets.system. An attacker aware of this secret can create custom tokens, including those that exploit the SQL injection vulnerability. Exploitation requires access to the affected Admin APIs, the ability to pass a raw pagination token, and knowledge of the pagination secret or its fallback value.

Impact

Exploitation allows attackers to execute arbitrary SQL queries by injecting malicious payloads through forged pagination tokens, potentially leading to unauthorized data access or manipulation.

Remediation

Users are advised to immediately configure a custom value for secrets.pagination by generating a cryptographically secure random secret, such as using OpenSSL. After updating the pagination secret, upgrade Ory Hydra to version 26.2.0 or later.