GHSA-cxv7-gmmp-228p

Suggest an improvement
Source
https://github.com/advisories/GHSA-cxv7-gmmp-228p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cxv7-gmmp-228p/GHSA-cxv7-gmmp-228p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cxv7-gmmp-228p
Aliases
  • CVE-2026-47375
Published
2026-06-05T15:59:28Z
Modified
2026-06-05T16:15:06.934531742Z
Severity
  • 6.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
Summary
NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`
Details

Summary

An authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column.

Details

The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. Two factors combine:

  1. ARRAYSORT declares only argument count, not validation.args.type, so validate-extract-tree.ts does not enforce an allowlist on the second argument.
  2. The Postgres mapping then passes the attacker-controlled value through sanitize(knex.raw(...)) into a raw SQL fragment:
const direction = pt.arguments[1]
  ? sanitize(
      knex.raw(pt.arguments[1]?.value ?? (await fn(pt.arguments[1])).builder),
    )
  : knex.raw('asc');

return {
  builder: knex.raw(`ARRAY(SELECT UNNEST(??) ORDER BY 1 ??)`, [source, direction]),
};

sanitize() in sqlSanitize.ts only escapes ? placeholder characters; it does not validate SQL syntax. A payload such as "desc, (SELECT COUNT(*) FROM generate_series(1,30000000))" is accepted, persisted, and re-executed on every read of the formula column.

Impact

  • Authenticated SQL injection against Postgres-backed bases.
  • Requires columnAdd permission (creator/owner-level).
  • Proven impact: attacker-controlled heavy SQL causing multi-second query stalls (DoS).
  • Potentially extendable to broader SQL injection outcomes depending on database permissions and deployment hardening.
  • Limited to Postgres backends.

Credit

This issue was reported by @leduckhuong.

Database specific
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-89"
    ],
    "github_reviewed_at": "2026-06-05T15:59:28Z",
    "github_reviewed": true
}
References

Affected packages

npm / nocodb

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.04.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cxv7-gmmp-228p/GHSA-cxv7-gmmp-228p.json"