9.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-35942

GHSA ID

GHSA-j259-6c58-9m58

EPSS Score

0.24257%

CWE

CWE-20

Published

8/11/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-35942

CVE-2022-35942: loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter

Improper input validation on the contains LoopBack filter may allow for arbitrary SQL injection.

Impact

When the extended filter property contains is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database.

This affects users who does any of the following:

Connect to the database via the DataSource with allowExtendedProperties: true setting OR
Uses the connector's CRUD methods directly OR
Uses the connector's other methods to interpret the LoopBack filter.

Patches

Patch release loopback-connector-postgresql@5.5.1 has been published of which resolves this issue.

Workarounds

Users who are unable to upgrade should do the following if applicable:

Remove allowExtendedProperties: true DataSource setting
Add allowExtendedProperties: false DataSource setting
When passing directly to the connector functions, manually sanitize the user input for the contains LoopBack filter beforehand.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-35942

CVE-2022-35942:

9.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-35942

GHSA ID

GHSA-j259-6c58-9m58

EPSS Score

0.24257%

CWE

CWE-20

Published

8/11/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
loopback-connector-postgresql	npm	< 5.5.1	5.5.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The GitHub commit d57406c shows the patch modified the 'contains' case in PostgreSQL.prototype.buildExpression to use parameterized queries instead of direct string interpolation. The original code constructed SQL with raw user input via template literals ('${v}'), making it vulnerable to SQL injection. This matches the CWE-89 (SQL Injection) and CWE-20 (Input Validation) descriptions in the advisory. The function's role in processing LoopBack filters aligns with the vulnerability's impact scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-35942: loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter

Impact

Patches

Workarounds

CVE-2022-35942:

9.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

CVE-2022-35942: loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter

Impact

Patches

Workarounds

9.4

9.4

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI