Vendure Unauthenticated SQL Injection Vulnerability in Shop API

A critical unauthenticated SQL injection vulnerability has been identified in the Vendure Shop API, affecting versions 1.7.4 prior to 2.3.4, as well as versions 3.0.0 prior to 3.5.7 and 3.6.0 prior to 3.6.2. The vulnerability arises because a user-controlled query string parameter is directly interpolated into a raw SQL expression without proper parameterization or validation. This flaw allows attackers to execute arbitrary SQL commands against the database. All supported database backends, including PostgreSQL, MySQL/MariaDB, and SQLite, are affected. While the Admin API is also vulnerable, exploitation there requires authentication.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which could lead to unauthorized data access, data manipulation, or in some cases, executing commands on the database server.

Reproduction

The vulnerability can be reproduced by sending a request to the Vendure Shop API with a crafted 'languageCode' query parameter. This parameter will be interpolated into a SQL 'CASE' expression without validation, allowing the injection of arbitrary SQL. The vulnerable endpoint is accessible on every default Vendure installation.

Remediation

Users are advised to upgrade to Vendure versions 2.3.4, 3.5.7, or 3.6.2, all of which contain the necessary patch. For those unable to upgrade immediately, a hotfix is available that validates the 'languageCode' input before it reaches the database query. This hotfix can be applied by modifying the 'getLanguageCode' method in the 'request-context.service.ts' file to include runtime validation of the 'languageCode' parameter.