Description
An SQL injection vulnerability exists in the @veramo/data-store package that allows any authenticated user to execute arbitrary SQL queries against the database. The vulnerability is caused by insufficient validation of the column parameter in the order array of query requests.
Recommendation
Update the @veramo/data-store package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.0.2
- Patched version(s): 6.0.2
References
Related Issues
- @saltcorn/data vulnerable to SQL Injection via jsexprToSQL Literal Handler - Vulnerability
- Drizzle ORM has SQL injection via improperly escaped SQL identifiers - CVE-2026-39356
- a12nserver vulnerable to potential SQL Injections via Knex dependency - Vulnerability
- Matrix-appservice-irc vulnerable to sql injection via roomIds argument - CVE-2022-3971
You might also like:
- Tags:
- npm
- @veramo/data-store
Anything's wrong? Let us know Last updated on January 16, 2026