Description
An SQL injection vulnerability exists in the @veramo/data-store package that allows any authenticated user to execute arbitrary SQL queries against the database. The vulnerability is caused by insufficient validation of the column parameter in the order array of query requests.
Recommendation
Update the @veramo/data-store package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.0.2
- Patched version(s): 6.0.2
References
Related Issues
- TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update - CVE-2025-60542
- Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL - CVE-2026-31856
- Matrix-appservice-irc vulnerable to sql injection via roomIds argument - CVE-2022-3971
- ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability - CVE-2024-39309
- Tags:
- npm
- @veramo/data-store
Anything's wrong? Let us know Last updated on January 16, 2026