Submit #812195: QuantumNous new-api 0.12.1 Improper Neutralization of Data Query Logic (CWE-943)info

TitelQuantumNous new-api 0.12.1 Improper Neutralization of Data Query Logic (CWE-943)
Beschreibung# Technical Details A SQL LIKE wildcard injection vulnerability exists in the TopUp search path of new-api. User-controlled keyword input is concatenated directly into a LIKE pattern without escaping wildcard metacharacters (`_`, `%`). Any authenticated user can alter matching semantics through `/api/user/topup/self`, and repeated wildcard-heavy requests can amplify database query workload. This is a narrow-fix variant: token/log search paths were hardened with `sanitizeLikePattern(...)`, but TopUp search was left unpatched. # Vulnerable Code File: `model/topup.go` and `controller/topup.go` Method: `SearchUserTopUps` Why: The controller receives attacker input via `keyword := c.Query("keyword")`, which is then passed to the model sink building the SQL LIKE unsafely: `like := "%%" + keyword + "%%"; query = query.Where("trade_no LIKE ?", like)`. There is missing normalization/escaping of SQL LIKE special characters in TopUp search, leaving `_` and `%` to be evaluated as semantic database operators. # Reproduction 1. Setup a vulnerable instance using `docker-compose.yml` running `calciumion/new-api:latest`. 2. Start the environment: `docker compose up -d` 3. Save the exploit script `poc_exploit.py` which creates top ups and uses wildcard keywords like `trade_no[:-1]_`. 4. Save the control script `control-normal_keyword.py` to test exact vs control matching. 5. Execute the test scripts: `python3 poc_exploit.py --base-url http://127.0.0.1:13000`. The exploit retrieves an unintended match behavior in the TopUp order search verifying wildcard evaluation. # Impact - Unintended match behavior in TopUp order search via wildcard metacharacters. - Potential query amplification and increased database workload via wildcard-heavy search patterns under concurrency (DoS-style degradation). - Query integrity expectations are broken as literal search is no longer guaranteed when wildcards are unescaped.
Quelle⚠️ https://gist.github.com/YLChen-007/92b68016a191180ed12e3e69bd20c066
Benutzer
 Eric-e (UID 97581)
Einreichung24.04.2026 14:16 (vor 1 Monat)
Moderieren22.05.2026 20:03 (28 days later)
StatusDuplikat
VulDB Eintrag365252 [QuantumNous new-api bis 0.12.1 self Endpoint model/topup.go SearchUserTopUps/SearchAllTopUps SQL Injection]
Punkte0

ZurückÜbersichtWeiter

Want to know what is going to be exploited?

We predict KEV entries!