Description
An SQL injection vulnerability exists in the @veramo/data-store package that allows any authenticated user to execute arbitrary SQL queries against the database. The vulnerability is caused by insufficient validation of the column parameter in the order array of query requests.
Recommendation
Update the @veramo/data-store package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.0.2
- Patched version(s): 6.0.2
References
Related Issues
- Seroval affected by Denial of Service via Array serialization - CVE-2026-23957
- XSS in the `of` option of the `.position()` util in jquery-ui - CVE-2021-41184
- The AuthKit Remix Library renders sensitive auth data in HTML - CVE-2025-55009
- NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies - CVE-2025-48947
- Tags:
- npm
- @veramo/data-store
Anything's wrong? Let us know Last updated on January 16, 2026