QuantumNous new-api self Endpoint topup.go SearchAllTopUps sql injection
Description
A weakness has been identified in QuantumNous new-api up to 0.12.1. The impacted element is the function SearchUserTopUps/SearchAllTopUps of the file model/topup.go of the component self Endpoint. This manipulation causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unescaped LIKE injection in QuantumNous new-api up to 0.12.1 allows authenticated remote attackers to cause database denial of service via crafted wildcard patterns.
Vulnerability
An unescaped LIKE injection vulnerability exists in the SearchUserTopUps and SearchAllTopUps functions in model/topup.go of QuantumNous new-api up to version 0.12.1. The application directly concatenates user-supplied keyword parameters into a GORM LIKE query without escaping SQL wildcard characters (% and _). Specifically, the code constructs like := "%%" + keyword + "%%" and passes it to query.Where("trade_no LIKE ?", like), allowing attackers to inject arbitrary wildcard patterns that are interpreted by the database engine [1].
Exploitation
An authenticated attacker can remotely trigger the vulnerability by sending a GET request to the /api/user/topup/self endpoint with a keyword parameter containing complex wildcard sequences (e.g., %%%%%%%%%%%%%%%_%%_%_%). No special privileges beyond authentication are required. The database then performs expensive pattern-matching operations, consuming excessive CPU resources and potentially blocking all database connections [1].
Impact
Successful exploitation leads to a denial-of-service (DoS) condition against the underlying database. The attack does not result in data disclosure, modification, or remote code execution; it solely impacts availability by exhausting database resources and causing slow SQL queries or complete service unavailability [1].
Mitigation
As of the publication date, the vendor has not responded to disclosure and no patched version has been released. Users of QuantumNous new-api up to 0.12.1 should consider implementing input sanitization to escape or reject SQL wildcard characters (%, _) in the keyword parameter, or apply a web application firewall (WAF) rule to block suspicious patterns. No official fix is available [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=0.12.1
Patches
1eacc245bad1cMerge pull request #4106 from HynoR/feat/fix
4 files changed · +37 −9
web/src/components/playground/configStorage.js+4 −0 modified@@ -65,11 +65,15 @@ export const loadConfig = () => { const savedConfig = localStorage.getItem(STORAGE_KEYS.CONFIG); if (savedConfig) { const parsedConfig = JSON.parse(savedConfig); + const parsedMaxTokens = parseInt(parsedConfig?.inputs?.max_tokens, 10); const mergedConfig = { inputs: { ...DEFAULT_CONFIG.inputs, ...parsedConfig.inputs, + max_tokens: Number.isNaN(parsedMaxTokens) + ? parsedConfig?.inputs?.max_tokens + : parsedMaxTokens, }, parameterEnabled: { ...DEFAULT_CONFIG.parameterEnabled,
web/src/components/playground/ParameterControl.jsx+13 −7 modified@@ -18,7 +18,14 @@ For commercial licensing, please contact support@quantumnous.com */ import React from 'react'; -import { Input, Slider, Typography, Button, Tag } from '@douyinfe/semi-ui'; +import { + Input, + InputNumber, + Slider, + Typography, + Button, + Tag, +} from '@douyinfe/semi-ui'; import { useTranslation } from 'react-i18next'; import { Hash, @@ -241,15 +248,14 @@ const ParameterControl = ({ disabled={disabled} /> </div> - <Input + <InputNumber placeholder='MaxTokens' name='max_tokens' - required - autoComplete='new-password' - defaultValue={0} value={inputs.max_tokens} - onChange={(value) => onInputChange('max_tokens', value)} - className='!rounded-lg' + onNumberChange={(value) => onInputChange('max_tokens', value)} + min={0} + precision={0} + style={{ width: '100%' }} disabled={!parameterEnabled.max_tokens || disabled} /> </div>
web/src/helpers/api.js+12 −1 modified@@ -150,7 +150,18 @@ export const buildApiPayload = ( const value = inputs[param]; const hasValue = value !== undefined && value !== null; - if (enabled && hasValue) { + if (!enabled) { + return; + } + + if (param === 'max_tokens') { + if (typeof value === 'number') { + payload[param] = value; + } + return; + } + + if (hasValue) { payload[param] = value; } });
web/src/hooks/playground/usePlaygroundState.js+8 −1 modified@@ -167,7 +167,14 @@ export const usePlaygroundState = () => { // 配置导入/重置 const handleConfigImport = useCallback((importedConfig) => { if (importedConfig.inputs) { - setInputs((prev) => ({ ...prev, ...importedConfig.inputs })); + const parsedMaxTokens = parseInt(importedConfig.inputs.max_tokens, 10); + setInputs((prev) => ({ + ...prev, + ...importedConfig.inputs, + max_tokens: Number.isNaN(parsedMaxTokens) + ? importedConfig.inputs.max_tokens + : parsedMaxTokens, + })); } if (importedConfig.parameterEnabled) { setParameterEnabled((prev) => ({
Vulnerability mechanics
Root cause
"Missing input sanitization in SearchUserTopUps/SearchAllTopUps functions in model/topup.go allows SQL injection via user-controlled parameters."
Attack vector
An attacker can send crafted HTTP requests to the self endpoint that invokes `SearchUserTopUps` or `SearchAllTopUps` in `model/topup.go`. By injecting SQL meta-characters into the query parameters (e.g., search terms or filter values), the attacker can manipulate the underlying SQL query. The attack is remotely exploitable without authentication, as the advisory does not specify any required privileges. Public exploit code has been released, lowering the barrier to exploitation.
Affected code
The vulnerability resides in the `SearchUserTopUps` and `SearchAllTopUps` functions within `model/topup.go`, which are exposed via a self endpoint. The patch provided ([patch_id=1995672]) does not touch `model/topup.go`; it only modifies frontend playground components (`ParameterControl.jsx`, `api.js`, `usePlaygroundState.js`, `configStorage.js`). Therefore, the patch does not address the SQL injection in the topup search functions, and the affected backend code path remains unpatched in this commit.
What the fix does
The patch [patch_id=1995672] only changes frontend code: it replaces a plain `Input` with `InputNumber` for `max_tokens`, adds type-checking in `buildApiPayload` to ensure `max_tokens` is a number, and parses `max_tokens` as an integer during config import/load. These changes sanitize a numeric input on the client side but do not touch the backend SQL query construction in `model/topup.go`. Consequently, the SQL injection vulnerability in `SearchUserTopUps`/`SearchAllTopUps` is not fixed by this commit.
Preconditions
- networkThe attacker must be able to send HTTP requests to the self endpoint that triggers SearchUserTopUps or SearchAllTopUps.
- authThe advisory does not specify authentication requirements; if authentication is required, the attacker must have valid credentials.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/YLChen-007/cf501d0a66c81298b2f97e854f3813dbmitreexploit
- vuldb.com/submit/812192mitrethird-party-advisory
- vuldb.com/submit/812195mitrethird-party-advisory
- vuldb.com/vuln/365252mitrevdb-entrytechnical-description
- vuldb.com/vuln/365252/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.