GHSA-45rp-9p97-h852

Suggest an improvement
Source
https://github.com/advisories/GHSA-45rp-9p97-h852
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-45rp-9p97-h852/GHSA-45rp-9p97-h852.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-45rp-9p97-h852
Aliases
Published
2026-03-03T20:58:55Z
Modified
2026-03-04T15:06:30.287237Z
Severity
  • 6.2 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
NocoDB Vulnerable to SQL Injection via DATEADD Formula
Details

Summary

An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter.

Details

The third argument (unit) of DATEADD was interpolated directly into knex.raw() queries after only stripping quote characters. Validation in formulas.ts only checked Literal AST node types — non-Literal types bypassed validation entirely. Affected MySQL, PostgreSQL, and SQLite function mappings.

Impact

SQL injection allowing data exfiltration or modification, scoped to the connected database.

Credit

This issue was reported by @q1uf3ng.

Database specific 
{
    "nvd_published_at": "2026-03-02T17:16:35Z",
    "github_reviewed_at": "2026-03-03T20:58:55Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

npm / nocodb

Package

Name
nocodb
View open source insights on deps.dev
Purl
pkg:npm/nocodb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.301.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-45rp-9p97-h852/GHSA-45rp-9p97-h852.json"
last_known_affected_version_range 
"<= 0.301.2"