Twenty CRM Remote Code Execution Vulnerability via Chained SQL Injection

A critical remote code execution vulnerability has been identified in Twenty CRM versions 1.7.7 prior to 1.16.7. This vulnerability arises from a combination of SQL injection and a PostgreSQL 'COPY TO PROGRAM' attack. In installations where the PostgreSQL user has superuser privileges, any authenticated user can execute arbitrary operating system commands on the database server. This is achieved by injecting SQL through the unsanitized 'timeZone' parameter in the REST API 'groupBy' endpoint. The vulnerability is present in the file 'engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts', where the 'timeZone' parameter is directly interpolated into a raw SQL expression without proper validation or escaping.

Impact

Exploitation of this vulnerability allows for remote code execution on the database server, with the executed commands running in the context of the PostgreSQL superuser.

Remediation

Users can upgrade to Twenty CRM version 1.16.7 to address this vulnerability.