LoopBack connectors SQL injection vulnerability
Warning: If you installed LoopBack connectors for PostgreSQL, Microsoft SQL Server, Oracle, or MySQL prior to 9 Jan 2015 you need update the affected packages.
- Date: 09 Jan 2015
- Security risk: Highly critical
- Vulnerability: SQL Injection
LoopBack allows you to define model properties (including id) as number types. A vulnerability in the implementations of relational database connectors allows an attacker to send specially crafted requests (SQL statements as the value of numbers) resulting in arbitrary SQL execution. This vulnerability can be exploited by anonymous users.
- loopback-connector-postgresql prior to 1.3.0
- loopback-connector-mssql prior to 1.3.0
- loopback-connector-oracle prior to 1.5.0
- loopback-connector-mysql prior to 1.5.0 (The SQL injection is not possible but invalid numbers are treated as NaN).
Please upgrade your project dependencies to use the latest versions of connectors and run npm update:
npm update, check your application’s
package.json to ensure that it specifies the correct version, for example: