जमा करें #812195: QuantumNous new-api 0.12.1 Improper Neutralization of Data Query Logic (CWE-943)जानकारी

शीर्षक	QuantumNous new-api 0.12.1 Improper Neutralization of Data Query Logic (CWE-943)
विवरण	# Technical Details A SQL LIKE wildcard injection vulnerability exists in the TopUp search path of new-api. User-controlled keyword input is concatenated directly into a LIKE pattern without escaping wildcard metacharacters (`_`, `%`). Any authenticated user can alter matching semantics through `/api/user/topup/self`, and repeated wildcard-heavy requests can amplify database query workload. This is a narrow-fix variant: token/log search paths were hardened with `sanitizeLikePattern(...)`, but TopUp search was left unpatched. # Vulnerable Code File: `model/topup.go` and `controller/topup.go` Method: `SearchUserTopUps` Why: The controller receives attacker input via `keyword := c.Query("keyword")`, which is then passed to the model sink building the SQL LIKE unsafely: `like := "%%" + keyword + "%%"; query = query.Where("trade_no LIKE ?", like)`. There is missing normalization/escaping of SQL LIKE special characters in TopUp search, leaving `_` and `%` to be evaluated as semantic database operators. # Reproduction 1. Setup a vulnerable instance using `docker-compose.yml` running `calciumion/new-api:latest`. 2. Start the environment: `docker compose up -d` 3. Save the exploit script `poc_exploit.py` which creates top ups and uses wildcard keywords like `trade_no[:-1]_`. 4. Save the control script `control-normal_keyword.py` to test exact vs control matching. 5. Execute the test scripts: `python3 poc_exploit.py --base-url http://127.0.0.1:13000`. The exploit retrieves an unintended match behavior in the TopUp order search verifying wildcard evaluation. # Impact - Unintended match behavior in TopUp order search via wildcard metacharacters. - Potential query amplification and increased database workload via wildcard-heavy search patterns under concurrency (DoS-style degradation). - Query integrity expectations are broken as literal search is no longer guaranteed when wildcards are unescaped.
स्रोत	⚠️ https://gist.github.com/YLChen-007/92b68016a191180ed12e3e69bd20c066
उपयोगकर्ता	Eric-e (UID 97581)
सबमिशन	24/04/2026 02:16 PM (1 महीना पहले)
संयम	22/05/2026 08:03 PM (28 days later)
स्थिति	प्रतिलिपि
VulDB प्रविष्टि	365252 [QuantumNous new-api तक 0.12.1 self Endpoint model/topup.go SearchUserTopUps/SearchAllTopUps SQL इंजेक्शन]
अंक	0

◂ पिछला सिंहावलोकन अगला ▸

Interested in the pricing of exploits?

See the underground prices here!