GHSA-JFWG-RXF3-P7R9

Vulnerability from github – Published: 2026-04-06 17:56 – Updated: 2026-04-06 17:56
VLAI
Summary
Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation
Details

Vulnerability Details

CWE: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

All 66+ CQL queries in internal/storage/db/cassandradb/ use fmt.Sprintf to interpolate user-controlled values directly into CQL query strings without parameterization.

Unauthenticated endpoints (signup, login, forgot_password, magic_link_login) pass user input directly into CQL query strings.

Note: This advisory covers the Cassandra CQL injection only. The Couchbase N1QL injection is tracked in a separate advisory per CVE rule 4.2.11.

Affected Code Pattern

// Before (VULNERABLE) - e.g. cassandradb/user.go
query := fmt.Sprintf("SELECT ... FROM %s WHERE email = '%s'", table, email)
err := p.db.Query(query).Scan(...)

Steps to Reproduce

  1. Deploy Authorizer <= 2.0.0 with Cassandra backend
  2. Send a signup request with a CQL injection payload in the email field:
curl -X POST http://localhost:8080/graphql \
  -H 'Content-Type: application/json' \
  -d '{"query":"mutation { signup(params: { email: \"test'\" }) { message } }"}'
  1. The single quote breaks out of the CQL string literal, causing a CQL parse error that leaks internal schema information
  2. Crafted payloads can manipulate query logic to bypass authentication or extract data

Affected Files (10 Cassandra files)

Package File Queries Fixed
cassandradb user.go 7
cassandradb otp.go 4
cassandradb session_token.go 19
cassandradb verification_requests.go 4
cassandradb authenticator.go 3
cassandradb email_template.go 5
cassandradb webhook.go 5
cassandradb webhook_log.go 2
cassandradb session.go 1
cassandradb env.go 2

Impact

An unauthenticated attacker can inject arbitrary CQL operators through the email, phone, or token parameters on public-facing endpoints (signup, login, forgot_password, magic_link_login). This enables authentication bypass and data exfiltration from the Cassandra keyspace.

Proposed Fix

Use parameterized queries:

// After (FIXED)
query := fmt.Sprintf("SELECT ... FROM %s WHERE email = ?", table)
err := p.db.Query(query, email).Scan(...)

Fixed in https://github.com/authorizerdev/authorizer/pull/500 (merged 2026-03-27).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/authorizerdev/authorizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260327055742-73679faa53cd"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-209",
      "CWE-943"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-06T17:56:31Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Vulnerability Details\n\n**CWE:** CWE-943 - Improper Neutralization of Special Elements in Data Query Logic\n\nAll 66+ CQL queries in `internal/storage/db/cassandradb/` use `fmt.Sprintf` to interpolate user-controlled values directly into CQL query strings without parameterization.\n\nUnauthenticated endpoints (`signup`, `login`, `forgot_password`, `magic_link_login`) pass user input directly into CQL query strings.\n\n**Note:** This advisory covers the Cassandra CQL injection only. The Couchbase N1QL injection is tracked in a separate advisory per CVE rule 4.2.11.\n\n## Affected Code Pattern\n\n```go\n// Before (VULNERABLE) - e.g. cassandradb/user.go\nquery := fmt.Sprintf(\"SELECT ... FROM %s WHERE email = \u0027%s\u0027\", table, email)\nerr := p.db.Query(query).Scan(...)\n```\n\n## Steps to Reproduce\n\n1. Deploy Authorizer \u003c= 2.0.0 with Cassandra backend\n2. Send a signup request with a CQL injection payload in the email field:\n\n```bash\ncurl -X POST http://localhost:8080/graphql \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"query\":\"mutation { signup(params: { email: \\\"test\u0027\\\" }) { message } }\"}\u0027\n```\n\n3. The single quote breaks out of the CQL string literal, causing a CQL parse error that leaks internal schema information\n4. Crafted payloads can manipulate query logic to bypass authentication or extract data\n\n## Affected Files (10 Cassandra files)\n\n| Package | File | Queries Fixed |\n|---------|------|--------------|\n| cassandradb | user.go | 7 |\n| cassandradb | otp.go | 4 |\n| cassandradb | session_token.go | 19 |\n| cassandradb | verification_requests.go | 4 |\n| cassandradb | authenticator.go | 3 |\n| cassandradb | email_template.go | 5 |\n| cassandradb | webhook.go | 5 |\n| cassandradb | webhook_log.go | 2 |\n| cassandradb | session.go | 1 |\n| cassandradb | env.go | 2 |\n\n## Impact\n\nAn unauthenticated attacker can inject arbitrary CQL operators through the email, phone, or token parameters on public-facing endpoints (signup, login, forgot_password, magic_link_login). This enables authentication bypass and data exfiltration from the Cassandra keyspace.\n\n## Proposed Fix\n\nUse parameterized queries:\n\n```go\n// After (FIXED)\nquery := fmt.Sprintf(\"SELECT ... FROM %s WHERE email = ?\", table)\nerr := p.db.Query(query, email).Scan(...)\n```\n\nFixed in https://github.com/authorizerdev/authorizer/pull/500 (merged 2026-03-27).",
  "id": "GHSA-jfwg-rxf3-p7r9",
  "modified": "2026-04-06T17:56:31Z",
  "published": "2026-04-06T17:56:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/authorizerdev/authorizer/security/advisories/GHSA-jfwg-rxf3-p7r9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authorizerdev/authorizer/pull/500"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authorizerdev/authorizer/commit/73679faa53cd215c7524d651046e402c43809786"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/authorizerdev/authorizer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authorizerdev/authorizer/releases/tag/2.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…