QuantumNous new-api SQL Injection Vulnerability in TopUp Search Endpoint

A SQL injection vulnerability has been identified in QuantumNous new-api versions through 0.12.1. The issue resides in the SearchUserTopUps and SearchAllTopUps functions within model/topup.go, specifically in the self Endpoint. This vulnerability allows authenticated users to inject unescaped SQL wildcard characters into the keyword parameter of the top-up search API, manipulating the database's pattern-matching engine. The exploitation of this vulnerability has been publicly disclosed and could lead to unauthorized database access or manipulation.

Impact

Exploitation of this vulnerability allows authenticated users to perform SQL injection attacks, potentially leading to unauthorized data access or manipulation. Additionally, the vulnerability can be exploited to cause a denial-of-service condition on the database by exhausting database connections and causing application-wide slowdowns.

Reproduction

The vulnerability can be reproduced by sending a request to the '/api/user/topup/self' endpoint with an injected keyword parameter that includes SQL wildcard characters. The unescaped wildcards will be interpreted by the database as control operators, allowing for manipulation of the SQL query and causing a denial-of-service condition on the database.