CVE-2024-40120
Description
seaweedfs v3.68 was discovered to contain a SQL injection vulnerability via the component /abstract_sql/abstract_sql_store.go.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SeaweedFS v3.68 and earlier contains a SQL injection vulnerability in the Filer server when MySQL is used as the metadata store, allowing attackers to execute arbitrary SQL commands.
Vulnerability
Overview
SeaweedFS versions prior to 3.69 are vulnerable to a SQL injection flaw (CWE-89) in the Filer server component. The vulnerability resides in the file weed/filer/abstract_sql/abstract_sql_store.go, where user-controlled input, specifically the bucket name parameter, is unsafely concatenated into SQL statements using fmt.Sprintf without proper sanitization or parameterization [2], [3]. This affects all SQL generation methods, including GetSqlFind, GetSqlListExclusive, GetSqlCreateTable, GetSqlDelete, and GetSqlDropTable [2], [3].
Exploitation and
Attack Surface
An attacker can exploit this vulnerability by crafting malicious bucket names that inject arbitrary SQL commands into queries executed against the MySQL metadata database. The Filer server must be configured with MySQL as the file metadata store (filer.toml with the mysql2 section enabled) for this attack to be feasible [2], [3]. The vulnerability does not require authentication if the Filer endpoint is exposed, but typical deployments may require prior access or the ability to create buckets [1], [2].
Impact
Successful exploitation can lead to severe consequences. A SELECT injection allows an attacker to read, modify, or exfiltrate sensitive metadata stored in the database, potentially retrieving file names, directory structures, and other stored information. Operations such as DROP, CREATE, and DELETE could be used to destroy or alter the metadata tables, leading to data loss or denial of service [2], [3]. The impact is most critical for SELECT injection, as it can enable broader data breaches.
Mitigation
Status
The vulnerability has been addressed in SeaweedFS version 3.69, released after the disclosure. It is recommended that all users upgrade to version 3.69 or later [2]. Administrators should also ensure their Filer server is not directly exposed to untrusted networks, and use input validation or prepared statements to prevent similar injection attacks in the future. No other workarounds are listed in the advisories [1], [2], [3], [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/seaweedfs/seaweedfsGo | < 0.0.0-20240625155419-9ac102336200 | 0.0.0-20240625155419-9ac102336200 |
Affected products
9- seaweedfs/seaweedfsdescription
- osv-coords7 versionspkg:apk/chainguard/seaweedfs-operatorpkg:apk/chainguard/seaweedfs-operator-compatpkg:apk/chainguard/seaweedfs-operator-fipspkg:apk/chainguard/seaweedfs-operator-fips-compatpkg:bitnami/seaweedfspkg:golang/github.com/seaweedfs/seaweedfspkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 1.0.6-r0+ 6 more
- (no CPE)range: < 1.0.6-r0
- (no CPE)range: < 1.0.5-r1
- (no CPE)range: < 1.0.6-r0
- (no CPE)range: < 1.0.5-r1
- (no CPE)range: >= 3.68.0, < 3.69.0
- (no CPE)range: < 0.0.0-20240625155419-9ac102336200
- (no CPE)range: < 0.0.20250523T151856-1.1
Patches
19ac102336200check bucket name in sql backend
1 file changed · +6 −0
weed/filer/abstract_sql/abstract_sql_store.go+6 −0 modified@@ -7,6 +7,7 @@ import ( "github.com/seaweedfs/seaweedfs/weed/filer" "github.com/seaweedfs/seaweedfs/weed/glog" "github.com/seaweedfs/seaweedfs/weed/pb/filer_pb" + "github.com/seaweedfs/seaweedfs/weed/s3api/s3bucket" "github.com/seaweedfs/seaweedfs/weed/util" "strings" "sync" @@ -140,6 +141,8 @@ func (store *AbstractSqlStore) getTxOrDB(ctx context.Context, fullpath util.Full } } + } else { + err = fmt.Errorf("invalid bucket name %s", bucket) } return @@ -340,6 +343,9 @@ func (store *AbstractSqlStore) Shutdown() { } func isValidBucket(bucket string) bool { + if s3bucket.VerifyS3BucketName(bucket) != nil { + return false + } return bucket != DEFAULT_TABLE && bucket != "" }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-q97m-8853-pq76ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-40120ghsaADVISORY
- gist.github.com/sud0why/1b2115c1d644bd3db1c1b3f16684a78cghsaWEB
- github.com/seaweedfs/seaweedfs/commit/9ac1023362000f6e8e58c9d278653f5926a0d90eghsaWEB
- github.com/seaweedfs/seaweedfs/issues/5710ghsaWEB
- github.com/seaweedfs/seaweedfs/releases/tag/3.69ghsaWEB
News mentions
0No linked articles in our index yet.