| Title | defog-ai introspect v0.1.0 to v0.1.4 Code Injection |
|---|
| Description | Introspect is a service that does data-focused deep research for structured data by LLM. A critical vulnerability has been identified in the `introspect/backend/integration_routes.py` file's `preview_table` function. The current implementation only checks for alphanumeric characters, underscores, spaces, or periods in the table name to prevent SQL injection. However, it fails to handle table names with double quotes properly, which can lead to potential SQL injection attacks. Malicious users could exploit this flaw to manipulate database queries, access sensitive data, or perform unauthorized actions. This vulnerability poses a significant risk to the security and integrity of the data processed by the Introspect service.
More Details:
https://github.com/defog-ai/introspect/issues/496 |
|---|
| Source | ⚠️ https://github.com/defog-ai/introspect/issues/496 |
|---|
| User | ybdesire (UID 83239) |
|---|
| Submission | 05/05/2025 15:59 (1 Year ago) |
|---|
| Moderation | 05/15/2025 14:27 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 309068 [defog-ai introspect up to 0.1.4 Test Endpoint integration_routes.py test_custom_tool input_model code injection] |
|---|
| Points | 20 |
|---|