DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-F2MF-Q878-GH58: Parsl Tongue: SQL Injection in High-Performance Computing Visualization

#security #cve #cybersecurity #ghsa

Parsl Tongue: SQL Injection in High-Performance Computing Visualization

Vulnerability ID: GHSA-F2MF-Q878-GH58
CVSS Score: 8.6
Published: 2026-01-06

Parsl, a parallel scripting library for Python often used in academic and high-performance computing (HPC) environments, contains a critical SQL injection vulnerability in its monitoring dashboard. The flaw allows unauthenticated attackers to manipulate database queries via the visualization interface, potentially exposing sensitive workflow metadata and environment configurations.

TL;DR

The 'parsl-visualize' dashboard fails to sanitize the 'workflow_id' URL parameter before passing it to a raw SQL query. This allows unauthenticated remote attackers to execute arbitrary SQL commands via Boolean-based blind injection. The vulnerability affects all versions prior to the January 5, 2026 patch.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-89 (SQL Injection)
  • Attack Vector: Network (Web Dashboard)
  • CVSS Score: 8.6 (High)
  • Affected Component: parsl.monitoring.visualization
  • Exploit Status: PoC Available
  • Authentication: None Required

Affected Systems

  • Parsl (Python Parallel Scripting Library)
  • parsl-visualize dashboard
  • Parsl: < Commit 013a928461e70f38a33258bd525a351ed828e974 (Fixed in: Commit 013a928461e70f38a33258bd525a351ed828e974)

Code Analysis

Commit: 013a928

Switch two visualization views to safer SQL parameter style (#4049)

- query = """SELECT ... WHERE task.run_id='%s'""" % (workflow_id)
- df_tasks = pd.read_sql_query(query, db.engine)
+ query = """SELECT ... WHERE task.run_id=:run_id"""
+ df_tasks = pd.read_sql_query(sqlalchemy.text(query), db.engine, params={"run_id": workflow_id})
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: Boolean-based blind injection via workflow_id URL parameter

Mitigation Strategies

  • Input Sanitization via Parameterization
  • Network Segmentation
  • Authentication Layers

Remediation Steps:

  1. Identify the installation location of parsl.
  2. Verify if parsl/monitoring/visualization/views.py contains raw SQL strings with %s.
  3. Upgrade to the latest version of Parsl immediately.
  4. If upgrading is impossible, manually patch views.py to use sqlalchemy.text and params.
  5. Ensure the parsl-visualize port (default 8080) is not exposed to the public internet.

References

Read the full report for GHSA-F2MF-Q878-GH58 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)