CVE-2022-29822 - Feathers.js Improper Parameter Filtering Leads to SQL Injection Attack

In early 2022, a serious vulnerability was discovered in the popular Feathers.js web framework. Tracked as CVE-2022-29822, the flaw is caused by improper filtering of client-supplied query parameters. This lapse allows attackers to perform SQL injection attacks on servers using Feathers.js with certain database adapters.

In this post, we’ll explain this vulnerability in simple terms, show how it can be exploited, and provide official references. If you’re running a Feathers.js app, don’t skip this one!

What is Feathers.js?

Feathers.js is a flexible web framework for building real-time applications. It provides a universal API for REST and WebSockets, and uses “adapters” to link to various back ends, including SQL databases like MySQL, PostgreSQL, and MSSQL.

Details of the Vulnerability

*CVE-2022-29822* occurs due to improper parameter filtering—Feathers services did not sufficiently sanitize or filter object query parameters received from clients. When using certain database adapters (feathers-knex or feathers-objection), user input could be injected directly into SQL queries.

This is dangerous because a hacker could craft a “where” clause that executes arbitrary SQL, potentially exposing or destroying your data.

Here’s what a common Feathers service might look like

// users.service.js (simplified)
const { Service } = require('feathers-knex');

exports.Users = class Users extends Service {};

// In app.js
app.use('/users', new Users({
  Model: knex, // Assume already configured
  name: 'users'
}));

By default, Feathers allows query filters directly from the client, which are translated to SQL by the adapter. Here’s an innocent query:

GET /users?email=jane@example.com

This would result in a safe query like

SELECT * FROM users WHERE email = 'jane@example.com'

With improper filtering, an attacker can send malicious payloads in the parameters. For example

GET /users?email[like]=%'; DROP TABLE users; --

Feathers and its SQL adapter might translate this into

SELECT * FROM users WHERE email LIKE '%'; DROP TABLE users; --%'

If the database adapter permits stacked queries (like old MySQL or badly configured MSSQL servers), the attacker could drop the users table, wiping out all your user data.

Another Example: Exposing All User Data

GET /users?$where=1=1

This special parameter, passed unchecked, may be interpreted directly as WHERE 1=1, effectively bypassing restrictions and exposing all user records—even those that should be hidden.

Why Did This Happen?

Feathers.js meant to offer flexible querying, but trusted client’s input too much. Attackers exploited this trust by injecting raw SQL logic through crafted query objects. The problem was aggravated in scenarios where developers had not carefully configured the whitelist or did not sanitize/validate queries before sending them to the database.

Official References

- CVE-2022-29822 on NVD
- GitHub Advisory Database Entry
- Feathers PR Fix

How to Fix It

Feathers.js maintainers released a patch soon after the vulnerability was reported (in versions above 4.5.11 of feathers-knex and feathers-objection). Here’s what you should do:

`javascript

// Example: Only allow 'email' and 'id'
   app.use('/users', new Users(options, {

In Summary

- CVE-2022-29822 lets attackers *inject SQL logic* through weakly-filtered parameters in Feathers.js apps.

Always use strict query whitelisting, validate inputs, and stay current with security advisories.

Don’t be the next victim. Patch your apps and audit endpoints for improper filtering today.

Further Reading

- Understanding SQL Injection Attacks
- Official Feathers.js Documentation – params
- How to fix “SQL Injection” with node.js?

Timeline

Published on: 10/26/2022 10:15:00 UTC
Last modified on: 02/28/2023 19:06:00 UTC