CVE-2022-29823 - Feather-Sequalize cleanQuery RCE Vulnerability

A new Remote Code Execution (RCE) vulnerability, CVE-2022-29823, has been discovered in the Feather-Sequalize package's cleanQuery method. Feather-Sequalize is a popular ORM designed for use with the FeathersJS framework to interact with relational databases like MySQL, PostgreSQL, and SQLite3. This post will discuss the vulnerability details, its root cause, and offer guidance on how to mitigate or avoid the issue altogether.

Background

The Feather-Sequalize cleanQuery method is designed to filter out any unsupported keys passed in the query object before being passed on to the actual Sequelize database query. However, an insecure recursive logic has been identified within the cleanQuery implementation, which results in the processing of attacker-controlled queries that can potentially execute arbitrary code on the server, with the privileges of the application itself.

Vulnerability Details

The insecure recursive logic within the cleanQuery method allows an attacker to pass a specially crafted query object that causes the cleanQuery function to execute arbitrary code on the server. A detailed analysis of the vulnerability is available in the original post [Link to original reference].

The vulnerability occurs when cleanQuery recursively filters query objects. The insecure recursion occurs because cleanQuery does not properly validate the input and may end up interpreting unsupported keys as a query object with nested fields. A malicious attacker can exploit this by passing a craftily designed query object with keys that trigger the insecure recursion and result in code execution.

Here is a snippet of the vulnerable code

function cleanQuery(query) {
  return Object.keys(query).reduce((cleaned, key) => {
    if (supportedOps.includes(key)) {
      cleaned[key] = cleanQuery(query[key]);
    } else if (allowedProperties.includes(key)) {
      cleaned[key] = query[key];
    }
    return cleaned;
  }, {});
}

Exploit

An attacker can exploit the vulnerability by sending a query object that contains a key which is not part of the allowedProperties or supportedOps, but the value is an object with keys that match one of the supported operations. Here is an example of a crafted query object that could exploit the vulnerability:

{
  "insecure": {
    "$or": [
      {
        "id": 1
      },
      {
         "id": {
           "$gt": {
             "toString": "() => { console.log('RCE Detected!'); }"
           }
         }
      }
    ]
  }
}

In the example above, the insecure key is an attacker-controlled, arbitrary key. The cleanQuery method does not recognize insecure as a valid key, but it does recognize $or as a supported operation, so it proceeds to filter the $or array. This eventually filters down to the $gt key, which triggers the insecure recursion and leads to the execution of the arbitrary code provided in the toString function.

Mitigation

To address this vulnerability, developers should ensure that the Feather-Sequalize package is updated to a patched version that contains the fix. If a patched version is not available, it is strongly advised to switch to an alternative ORM package, such as Sequelize or Objection, which does not suffer from this issue.

Timeline

Published on: 10/26/2022 10:15:00 UTC
Last modified on: 02/28/2023 19:06:00 UTC