loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter
Description
Improper input validation on the contains LoopBack filter may allow for arbitrary SQL injection. When the extended filter property contains is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with allowExtendedProperties: true setting OR - Uses the connector's CRUD methods directly OR - Uses the connector's other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove allowExtendedProperties: true DataSource setting - Add allowExtendedProperties: false DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the contains LoopBack filter beforehand.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
loopback-connector-postgresqlnpm | < 5.5.1 | 5.5.1 |
Affected products
1- Range: < 5.5.1
Patches
1d57406c67376fix: improve filter sanitisation
1 file changed · +4 −3
lib/postgresql.js+4 −3 modified@@ -545,10 +545,11 @@ PostgreSQL.prototype.buildExpression = function(columnName, operator, return new ParameterizedSQL(columnName + regexOperator, [operatorValue.source]); case 'contains': - return new ParameterizedSQL(columnName + ' @> array[' + operatorValue.map((v) => `'${v}'`) + ']::' - + propertyDefinition.postgresql.dataType); + return new ParameterizedSQL(columnName + ' @> array[' + operatorValue.map(() => '?') + ']::' + + propertyDefinition.postgresql.dataType, + operatorValue); case 'match': - return new ParameterizedSQL(`to_tsvector(${columnName}) @@ to_tsquery('${operatorValue}')`); + return new ParameterizedSQL(`to_tsvector(${columnName}) @@ to_tsquery(?)`, [operatorValue]); default: // invoke the base implementation of `buildExpression` return this.invokeSuper('buildExpression', columnName, operator,
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-j259-6c58-9m58ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-35942ghsaADVISORY
- github.com/loopbackio/loopback-connector-postgresql/commit/d57406c6737692a3a106b58a35406290cddb23e5ghsax_refsource_MISCWEB
- github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.