DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-38CW-85XC-XR9X: Identity Crisis: Dumping Veramo's Digital Wallets via SQL Injection

#security #cve #cybersecurity #ghsa

Identity Crisis: Dumping Veramo's Digital Wallets via SQL Injection

Vulnerability ID: GHSA-38CW-85XC-XR9X
CVSS Score: 6.8
Published: 2026-01-16

A critical SQL injection vulnerability in the Veramo framework's data storage layer allows authenticated attackers to manipulate query ordering parameters, enabling the exfiltration of sensitive data—including private keys and verifiable credentials—from the underlying database.

TL;DR

The Veramo framework, designed for Self-Sovereign Identity (SSI), contained a massive hole in its data access layer. By manipulating the order parameter in API requests, attackers could force the application to execute arbitrary SQL. This bypasses the ORM's protections, allowing full database dumps. If you run Veramo < 6.0.2, your DIDs and private keys are compromised.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-89 (SQL Injection)
  • CVSS Score: 6.8 (Medium)
  • Attack Vector: Network (Authenticated)
  • Impact: High (Confidentiality & Integrity)
  • Vulnerable Component: decorateQB()
  • Fix Type: Input Validation (Whitelist)

Affected Systems

  • Veramo Framework
  • @veramo/data-store
  • @veramo/data-store-json
  • @veramo/data-store: < 6.0.2 (Fixed in: 6.0.2)
  • @veramo/data-store-json: < 6.0.2 (Fixed in: 6.0.2)

Code Analysis

Commit: 067e39d

fix: sql injection in data-store-orm

diff --git a/packages/data-store/src/data-store-orm.ts b/packages/data-store/src/data-store-orm.ts
index ...
--- a/packages/data-store/src/data-store-orm.ts
+++ b/packages/data-store/src/data-store-orm.ts
@@ -1,4 +1,5 @@
+import { ALLOWED_COLUMNS } from './constants'
...
-      qb = qb.addSelect(
-        qb.connection.driver.escape(tableName) + '.' + qb.connection.driver.escape(item.column),
-        item.column,
-      )
+      if (!allowedColumns.includes(item.column)) throw new Error('Invalid column')
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Input Validation: Implement strict allow-lists for all dynamic column names in SQL queries.
  • Update Dependencies: Upgrade @veramo/data-store to version 6.0.2 or higher immediately.
  • Least Privilege: Ensure the database user connected to the Veramo agent does not have permission to read the 'private-key' table unless absolutely necessary, or segregate keys into a different storage backend.

Remediation Steps:

  1. Locate your package.json file.
  2. Update @veramo/data-store and @veramo/data-store-json to ^6.0.2.
  3. Run npm install or yarn install to apply changes.
  4. Restart the Veramo agent service.
  5. If you have implemented custom data stores using decorateQB, manually implement the ALLOWED_COLUMNS check.

References

Read the full report for GHSA-38CW-85XC-XR9X on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)