eKuiper API endpoints handling SQL queries with user-controlled table names.
Description
LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. In versions before 2.2.1, there is a critical SQL Injection vulnerability in the getLast API functionality of the eKuiper project. This flaw allows unauthenticated remote attackers to execute arbitrary SQL statements on the underlying SQLite database by manipulating the table name input in an API request. Exploitation can lead to data theft, corruption, or deletion, and full database compromise. This is fixed in version 2.2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in LF Edge eKuiper's getLast API allows arbitrary SQL execution on SQLite database, fixed in version 2.2.1.
LF Edge eKuiper, a lightweight IoT stream processing engine, is vulnerable to a critical SQL injection in the getLast API functionality. The root cause is the direct interpolation of user-controlled table names into SQL queries using fmt.Sprintf("SELECT * FROM %s ORDER BY rowid DESC LIMIT 1", table), without any sanitization or validation [3].
An unauthenticated remote attacker can exploit this flaw by sending a crafted HTTP POST request to the /sql-query endpoint, manipulating the table parameter to inject arbitrary SQL commands [1]. No authentication or special network position is required, making the attack surface broad.
Successful exploitation allows an attacker to execute arbitrary SQL statements on the underlying SQLite database, leading to data theft, corruption, or deletion, and potentially full database compromise [1].
The vulnerability is fixed in eKuiper version 2.2.1. The fix, implemented in commit 72c4918, introduces a table name validation function (isValidTableName) that rejects illegal inputs before query construction [4]. Users are strongly advised to upgrade to the latest version.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/lf-edge/ekuiper/v2Go | < 2.2.1 | 2.2.1 |
github.com/lf-edge/ekuiperGo | <= 1.14.7 | — |
Affected products
2- lf-edge/ekuiperv5Range: < 2.2.1
Patches
172c491874493fix(kv): prepare ts query (#3767)
1 file changed · +7 −4
internal/pkg/store/sql/sqlTs.go+7 −4 modified@@ -39,12 +39,12 @@ func createSqlTs(database Database, table string) (*ts, error) { last: getLast(database, table), } err := store.database.Apply(func(db *sql.DB) error { - query := fmt.Sprintf("CREATE TABLE IF NOT EXISTS '%s'('key' INTEGER PRIMARY KEY, 'val' BLOB);", table) + query := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s ('key' INTEGER PRIMARY KEY, 'val' BLOB);", table) stmt, err := db.Prepare(query) if err != nil { return err } - _, err = stmt.Exec(query) + _, err = stmt.Exec() return err }) if err != nil { @@ -158,13 +158,16 @@ func (t ts) Drop() error { func getLast(d Database, table string) int64 { var last int64 = 0 + if !isValidTableName(table) { + return 0 // or handle the error appropriately + } _ = d.Apply(func(db *sql.DB) error { - query := fmt.Sprintf("SELECT key FROM %s Order by key DESC Limit 1;", table) + query := fmt.Sprintf("SELECT key FROM %s ORDER BY key DESC LIMIT 1;", table) stmt, err := db.Prepare(query) if err != nil { return err } - row := stmt.QueryRow(query) + row := stmt.QueryRow() return row.Scan(&last) }) return last
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-526j-mv3p-f4vvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54379ghsaADVISORY
- github.com/lf-edge/ekuiper/commit/72c4918744934deebf04e324ae66933ec089ebd3ghsax_refsource_MISCWEB
- github.com/lf-edge/ekuiper/security/advisories/GHSA-526j-mv3p-f4vvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.