Vitess VTAdmin users that can create shards can deny access to other functions
Description
An input validation flaw in VTAdmin allowed shard names with '/' characters, causing persistent management failures until patched in v16.0.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An input validation flaw in VTAdmin allowed shard names with '/' characters, causing persistent management failures until patched in v16.0.2.
Root
Cause
CVE-2023-29195 is an input validation vulnerability in Vitess, a database clustering system for horizontal scaling of MySQL. Prior to version 16.0.2, VTAdmin did not validate shard names for the forward slash (/) character. The vtctldclient CLI enforced proper validation, but VTAdmin lacked this check [2].
Exploitation
A user with access to VTAdmin could intentionally or inadvertently create a shard containing a / character. Once such a shard existed, a persistent denial-of-service condition was triggered: subsequent attempts to create new shards via VTAdmin would fail, and viewing keyspaces would also break [2]. The / character is significant because it is used as a separator in topology keys, causing topological inconsistencies.
Impact
The flaw leads to a denial-of-service (DoS) scenario affecting cluster management through VTAdmin. All users relying on VTAdmin for shard creation or keyspace viewing would be blocked. The issue does not affect the vtctldclient CLI, which remains functional [2].
Mitigation
The vulnerability is fixed in Vitess version 16.0.2 (corresponding to Go module version 0.16.2). The fix introduces validation in the ValidateShardName function to reject shard names containing / [1][4]. Workarounds include always using vtctldclient instead of VTAdmin, disabling shard creation via VTAdmin with RBAC, or manually deleting the offending topology record [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vitess.io/vitessGo | < 0.16.2 | 0.16.2 |
Affected products
2Patches
19dcbd7de3180Backport: [topo] Disallow the slash character in shard names #12843 (#12858)
3 files changed · +69 −2
changelog/16.0/16.0.2/summary.md+7 −0 added@@ -0,0 +1,7 @@ +## Summary + +### Shard name validation in TopoServer + +Prior to v16.0.2, it was possible to create a shard name with invalid characters, which would then be inaccessible to various cluster management operations. + +Shard names may no longer contain the forward slash ("/") character, and TopoServer's `CreateShard` method returns an error if given such a name. \ No newline at end of file
go/vt/topo/shard.go+4 −0 modified@@ -120,6 +120,10 @@ func IsShardUsingRangeBasedSharding(shard string) bool { // ValidateShardName takes a shard name and sanitizes it, and also returns // the KeyRange. func ValidateShardName(shard string) (string, *topodatapb.KeyRange, error) { + if strings.Contains(shard, "/") { + return "", nil, vterrors.Errorf(vtrpc.Code_INVALID_ARGUMENT, "invalid shardId, may not contain '/': %v", shard) + } + if !IsShardUsingRangeBasedSharding(shard) { return shard, nil, nil }
go/vt/topo/shard_test.go+58 −2 modified@@ -17,13 +17,14 @@ limitations under the License. package topo import ( + "context" "reflect" "testing" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "context" - + "vitess.io/vitess/go/test/utils" topodatapb "vitess.io/vitess/go/vt/proto/topodata" ) @@ -222,3 +223,58 @@ func TestUpdateSourceDeniedTables(t *testing.T) { t.Fatalf("one cell removal from all failed: %v", si) } } + +func TestValidateShardName(t *testing.T) { + t.Parallel() + + cases := []struct { + name string + expectedRange *topodatapb.KeyRange + valid bool + }{ + { + name: "0", + valid: true, + }, + { + name: "-80", + expectedRange: &topodatapb.KeyRange{ + Start: nil, + End: []byte{0x80}, + }, + valid: true, + }, + { + name: "40-80", + expectedRange: &topodatapb.KeyRange{ + Start: []byte{0x40}, + End: []byte{0x80}, + }, + valid: true, + }, + { + name: "foo-bar", + valid: false, + }, + { + name: "a/b", + valid: false, + }, + } + + for _, tcase := range cases { + tcase := tcase + t.Run(tcase.name, func(t *testing.T) { + t.Parallel() + + _, kr, err := ValidateShardName(tcase.name) + if !tcase.valid { + assert.Error(t, err, "expected %q to be an invalid shard name", tcase.name) + return + } + + require.NoError(t, err, "expected %q to be a valid shard name, got error: %v", tcase.name, err) + utils.MustMatch(t, tcase.expectedRange, kr) + }) + } +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-pqj7-jx24-wj7wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29195ghsaADVISORY
- github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920ghsax_refsource_MISCWEB
- github.com/vitessio/vitess/issues/12842ghsax_refsource_MISCWEB
- github.com/vitessio/vitess/pull/12843ghsax_refsource_MISCWEB
- github.com/vitessio/vitess/releases/tag/v16.0.2ghsax_refsource_MISCWEB
- github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7wghsax_refsource_CONFIRMWEB
- pkg.go.dev/vitess.io/vitess@v0.16.2ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.