GHSA-v64v-fq96-c5wv

Suggest an improvement
Source
https://github.com/advisories/GHSA-v64v-fq96-c5wv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-v64v-fq96-c5wv/GHSA-v64v-fq96-c5wv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v64v-fq96-c5wv
Aliases
Published
2025-04-23T18:30:58Z
Modified
2025-04-23T19:57:08.964516Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
PostHog Plugin Server SQL Injection Vulnerability
Details

PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PostHog. Authentication is required to exploit this vulnerability.

The specific flaw exists within the implementation of the SQL parser. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the database account. Was ZDI-CAN-25350.

Database specific
{
    "github_reviewed_at": "2025-04-23T19:38:40Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "nvd_published_at": "2025-04-23T17:16:52Z",
    "severity": "HIGH",
    "github_reviewed": true
}
References

Affected packages

npm / @posthog/plugin-server

Package

Name
@posthog/plugin-server
View open source insights on deps.dev
Purl
pkg:npm/%40posthog/plugin-server

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.10.7