CVE-2019-10757: SQL Injection in knex
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.51103%
CWE
Published
10/21/2019
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
knex | npm | < 0.19.5 | 0.19.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper identifier escaping in the MSSQL dialect. The key change in commit 988fb24 modifies the wrapIdentifierImpl
method in the MSSQL client implementation. The patch replaces the original insufficient escaping regex with one that strips out []' characters, directly addressing the SQL injection vector. This function is responsible for wrapping column/table identifiers in square brackets during query construction, making it the primary vulnerable function that would process malicious input during exploitation. Other changes in the commit appear to be test additions or unrelated code style fixes.