Ddos 
Vendure Core, the open-source engine powering the enterprise commerce platform Vendure, has recently addressed a high-severity security flaw that could have left the keys to the kingdom in the hands of unauthenticated attackers.
The vulnerability, which carries a staggering CVSS score of 9.1, strikes at the very heart of how the platform handles multi-language requests.
The flaw is a classic example of improper neutralization of special elements, commonly known as SQL Injection. According to the technical advisory, a user-controlled query string parameter is interpolated directly into a raw SQL expression without any form of parameterization or validation.
Specifically, the issue resides in how the languageCode parameter is handled. Because this parameter is funneled into a raw SQL query, an attacker can craft a malicious string to execute arbitrary SQL commands against the database.
Unlike some vulnerabilities that are limited to a specific database environment, this flaw has a broad reach:
- Universal Impact: It affects all supported database backends, including PostgreSQL, MySQL/MariaDB, and SQLite.
- Unauthenticated Access: The vulnerability exists in the Vendure Shop API, meaning an unauthenticated attacker can exploit it remotely.
- Admin API Risk: While the Admin API is also affected, successful exploitation there requires valid authentication credentials.
The vulnerability spans multiple release lines of the @vendure/core package:
- Legacy Versions: All versions prior to 2.3.4.
- Modern Versions: Versions starting from 3.0.0 through 3.5.6.
- Current Branch: Versions 3.6.0 and 3.6.1.
The Vendure development team has acted quickly to release patches across all active branches. Organizations are urged to upgrade to a patched version immediately to secure their storefronts.
- @vendure/core 2.3.4
- @vendure/core 3.5.7
- @vendure/core 3.6.2
For teams that cannot perform a full upgrade immediately, a critical hotfix can be applied to RequestContextService.getLanguageCode. The fix involves implementing a strict validation check at the boundary to ensure the languageCode follows a safe format (/^[a-zA-Z0-9_-]+$/). By validating the input before it reaches any query, the injection payload is blocked.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
