CVE CyberSecurity Database News

CVE-2024-24213 - The Truth About "SQL Injection" in Supabase PostgreSQL v15.1’s /pg_meta/default/query Endpoint

Poster -

Overview

On January 25, 2024, a security report highlighted a potential SQL injection in Supabase PostgreSQL v15.1, specifically in the /pg_meta/default/query endpoint. This issue received the identifier CVE-2024-24213. At first glance, this sounds severe—SQL injection (SQLi) is among the most dangerous vulnerabilities, potentially giving attackers full control over your database.

But as we’ll explain in this article, things aren’t exactly what they seem. This endpoint is designed specifically to accept and execute arbitrary SQL from authenticated users by design. Here, we’ll break down the facts, show you code snippets, and explain both what is at risk, and what’s not.


How the Vulnerability Was Discovered

Security researchers were analyzing the web interface of the Supabase Dashboard, an open-source admin panel for their hosted PostgreSQL databases. They noticed a POST endpoint: /pg_meta/default/query. It takes SQL from the client and executes it.

Example intercepted HTTP POST request

POST /pg_meta/default/query HTTP/1.1
Host: app.supabase.com
Content-Type: application/json
Authorization: Bearer <valid_token>

{
  "query": "SELECT * FROM users;"
}

It appears that you can send any SQL, including potentially harmful queries. For example, the following could be submitted:

{
  "query": "DROP TABLE users;"
}

Or, more sensibly from an attacker's perspective, a classic UNION-based SQLi could look like this

{
  "query": "SELECT * FROM users WHERE id=1 UNION SELECT password FROM admin_users;"
}

But the reality here is different.

The Code and Endpoint

The code for /pg_meta/default/query is part of Supabase Studio (Dashboard) and connects directly to your database, providing an SQL editor for authorized users.

An example handler (simplified for clarity)

// Node.js pseudo-code
app.post('/pg_meta/default/query', authenticateUser, async (req, res) => {
    const { query } = req.body;
    // Run user-supplied SQL against the PostgreSQL instance
    const result = await db.query(query);
    res.json(result);
});

The user’s input (the SQL) is run as-is. That’s the entire point of a SQL editor!

Short answer: NO.

SQL Injection is when a web application unintentionally runs attacker-controlled SQL due to unsafe string interpolation or mishandling. Normally, this happens when user input is combined with queries *without intended permission*.

Here’s a classic example of real SQLi

// Vulnerable code - NOT how Supabase does it!
const sql = "SELECT * FROM users WHERE name = '" + req.body.name + "'";
db.query(sql); // if req.body.name = 'John' OR '1'='1'; --, attacker gets all users!

But /pg_meta/default/query is built to execute arbitrary SQL for authenticated users. It’s the same as giving someone direct access to psql in a terminal.


Why the Vendor Disagrees

The Supabase team’s official response to this CVE is clear:

- /pg_meta/default/query is intended for manual SQL entered through the dashboard UI.

There is no “injection”—the code’s purpose is to allow SQL execution from trusted users.

- The Supabase PostgreSQL product itself does not have a bug; this endpoint is part of the Supabase Dashboard (admin panel).

Quote from Supabase's team (paraphrased)

> We do not consider this a SQL Injection. The endpoint is an SQL editor for trusted users. It cannot be used by unprivileged parties. Nothing is being “injected”.


Real Risk

- Compromised dashboard credentials: If an attacker gets access to an admin user’s account, they could use /pg_meta/default/query to run any SQL—this is nothing new, as the admin panel by design grants database access.
- Phishing or social engineering: Attackers may trick admins into entering bad queries, but again, this is not a technical SQLi vulnerability.

Unauthenticated attacks: You cannot reach the endpoint without logging in.

- Automatic exploitation over the public internet: Not possible unless your dashboard account is compromised.


References & Further Reading

- CVE-2024-24213 at NVD
- Supabase dashboard source code (GitHub)
- Original issue on GitHub
- What is SQL Injection? (OWASP)


Final Thoughts

CVE-2024-24213 is technically a mis-classification. The /pg_meta/default/query endpoint is simply an SQL editor for authenticated users in Supabase’s dashboard, not a mistakenly exposed database interface. The vendor’s “dispute” for this CVE is justified, and there is no risk to regular users or to the Supabase PostgreSQL product.

That said:

Don’t panic—just stay secure.

---

Timeline

Published on: 02/08/2024 18:15:08 UTC
Last modified on: 03/21/2024 02:52:10 UTC