ElectricSQL Error-Based SQL Injection Vulnerability in Order By Parameter of the Shape API

A critical error-based SQL injection vulnerability has been identified in ElectricSQL versions 1.1.12 prior to 1.5.0. The issue resides in the 'order_by' parameter of the '/v1/shape' API, where improper validation allows authenticated users to inject malicious ORDER BY expressions. This exploitation could lead to unauthorized access, modification, and deletion of data in the underlying PostgreSQL database. The vulnerability also poses a risk of denial-of-service by injecting commands that disrupt database operations.

Impact

Exploitation of this vulnerability allows authenticated users to gain full control over the PostgreSQL database used by the ElectricSQL sync service. It enables error-based data extraction, arbitrary data manipulation through INSERT, UPDATE, and DELETE commands, and execution of destructive operations like dropping tables or creating superuser roles. Additionally, the vulnerability can be exploited to cause a denial-of-service by injecting commands that delay database response times, without needing any special extensions.

Reproduction

To reproduce this vulnerability, send a POST request to the ElectricSQL '/v1/shapes' endpoint with a crafted 'order_by' parameter. The injection can be verified by including a SQL command that extracts data, such as the PostgreSQL version, which will be returned in the error response. Once confirmed, the same injection point can be used to access and manipulate other database tables and execute destructive commands.

Remediation

Users self-hosting ElectricSQL should upgrade to version 1.5.0 or later. Electric Cloud customers have already been patched to version 1.5.0.