LoopBack connectors SQL injection vulnerability

  • Date: 09 Jan 2015 
  • Security risk: Highly critical
  • Vulnerability: SQL Injection


LoopBack allows you to define model properties (including id) as number types. A vulnerability in the implementations of relational database connectors allows an attacker to send specially crafted requests (SQL statements as the value of numbers) resulting in arbitrary SQL execution. This vulnerability can be exploited by anonymous users.

Reported by

David Kirchner

Versions affected

  • loopback-connector-postgresql prior to 1.3.0
  • loopback-connector-mssql prior to 1.3.0
  • loopback-connector-oracle prior to 1.5.0
  • loopback-connector-mysql prior to 1.5.0 (The SQL injection is not possible but invalid numbers are treated as NaN).


Please upgrade your project dependencies to use the latest versions of connectors and run npm update:

  • loopback-connector-postgresql@1.3.0
  • loopback-connector-mssql@1.3.0
  • loopback-connector-oracle@1.5.0
  • loopback-connector-mysql@1.5.0