cruddl vulnerable to ArangoDB Query Language (AQL) injection through flexSearch

Severity:: High

Description

If a vunerable version of cruddl is used to generate a schema that uses @flexSearchFulltext, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB.

Schemas that do not use @flexSearchFulltext are not affected.

Recommendation

Update the cruddl package to the latest compatible version. Followings are version details:

Affected version(s): **>= 1.1.0, < 2.7.0 >= 3.0.0, < 3.0.2**
Patched version(s): **2.7.0 3.0.2**

References

GHSA-qm4w-4995-vg7f
CVE-2022-36084
CWE-74
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type - CVE-2022-35948
Joplin Vulnerable to Code Injection - CVE-2022-23340
BrowserStack Local vulnerable to Command Injection through logfile variable - CVE-2025-57283
Eta vulnerable to Code Injection via templates rendered with user-defined data - CVE-2022-25967

Tags:: npm; cruddl

Anything's wrong? Let us know Last updated on January 27, 2023