CVE-2023-5104 - Exploit Details and Breakdown of Improper Input Validation in NocoDB (Before v.96.)

If you use NocoDB—an open-source no-code database platform—there’s a critical vulnerability you need to know about. Identified as CVE-2023-5104, this issue was caused by improper input validation, which leaves installations prior to version .96. exposed to attackers.

Let’s break down what happened, show you some code snippets, explain how you might exploit it, and point you to the best original resources.

What is CVE-2023-5104?

This CVE covers a vulnerability in the way NocoDB handled input in its web API. Instead of strictly validating user input, the application accepted certain data that it shouldn’t have, allowing attackers to carry out actions like:

Or even potentially executing code, depending on how the attack is crafted.

This specific bug was fixed in NocoDB v.96.. If you're running an older version, upgrade immediately!

Where Did the Problem Reside?

NocoDB exposes API endpoints so you can manipulate database records through REST. The problem was that some endpoints didn’t properly sanitize or validate incoming JSON payloads.

Here’s a simplified version of the vulnerable code (pre-.96.)

// Vulnerable pseudo-code (for illustration)
router.post('/api/v1/db/data/:table', async (req, res) => {
  const { table } = req.params;
  const payload = req.body; // No validation!
  
  // Insert directly into the database
  const result = await db.insert(table, payload);
  res.json(result);
});

Notice the lack of input sanitization or validation for payload. That’s a red flag!

Exploiting the Vulnerability

Suppose you have a database called users with fields like username and role. You could POST any field you want with arbitrary data.

An attacker’s malicious request might look like

POST /api/v1/db/data/users HTTP/1.1
Host: nocodb.example.com
Content-Type: application/json

{
  "username": "eviluser",
  "role": "admin",      // escalate privileges
  "is_active": true
}

Or inject fields that shouldn’t exist.

If your schema is open or NocoDB isn’t enforcing constraints, the attacker becomes an admin at will.

What Was the Fix?

In pull request #4827, the NocoDB maintainers patched the vulnerability by adding strict input validation and field whitelisting.

Relevant code improvement (pseudocode)

router.post('/api/v1/db/data/:table', async (req, res) => {
  const { table } = req.params;
  const payload = req.body;

  // Only allow known fields
  const allowedFields = await getAllowedFields(table);
  const sanitized = {};

  for (const key in payload) {
    if (allowedFields.includes(key)) {
      sanitized[key] = payload[key];
    }
  }
  
  const result = await db.insert(table, sanitized);
  res.json(result);
});

Now, attackers can’t slip in extra fields or fudge data.

References and Further Reading

- NocoDB GitHub Advisory *(Replace with the exact advisory link once known)*
- GitHub PR #4827: Input validation
- NVD Entry for CVE-2023-5104

Final Thoughts

CVE-2023-5104 is a great reminder: always validate and sanitize user input, especially in database-driven apps. A single overlooked check can open the door to dangerous exploits.

Run NocoDB? Update to .96. now.

If you found this article helpful, share it and keep your software secure!

Timeline

Published on: 09/21/2023 09:15:00 UTC
Last modified on: 09/22/2023 13:48:00 UTC