CVE-2022-38488

Vulnerability

The logrocket-oauth2-example project, as of version through 2020-05-27, contains a SQL injection vulnerability in the /auth/register endpoint. The username parameter is directly concatenated into SQL queries without sanitization or parameterization, as shown in the tutorial code [1][2]. This affects any deployment using the example code from the LogRocket blog post.

Exploitation

An attacker can exploit this by sending a crafted POST request to /auth/register with a malicious username value. No authentication is required. For example, username=test';CREATE TABLE hacked()-- creates a new table, while username=test';SELECT PG_SLEEP(5)-- performs a time-based blind SQL injection [2]. The attacker only needs network access to the target server.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands on the underlying PostgreSQL database. This can lead to data exfiltration, data modification, or denial of service. The attacker gains full control over the database, potentially compromising all stored data [2].

Mitigation

No official patch has been released for this example project, which appears unmaintained. Users should avoid using this code in production environments. The recommended mitigation is to use parameterized queries or an ORM to prevent SQL injection. The tutorial may have been updated, but the vulnerable repository remains unchanged [1][2].