stigmem-node's Postgres Schema Identifier Handling Vulnerability

What Happened

A vulnerability was discovered in stigmem-node's Postgres schema identifier handling, where schema identifiers were interpolated into SQL strings without proper quoting.

Who Is Affected

Operators using the Postgres backend in affected versions of stigmem-node are impacted.

Severity & Impact

The severity of this vulnerability is 7.5. If future call sites allowed tenant or request-controlled schema names, the pattern could lead to SQL injection attacks.

Mitigation

To mitigate this vulnerability, users can either upgrade to the patched release (0.9.0a2) by running pip install --upgrade --pre stigmem-node or pip install --upgrade --pre 'stigmem[node]' if installed through the Stigmem meta-package. Alternatively, before upgrading, only configure Postgres schema names from trusted deployment configuration and do not derive schema names from request, tenant, header, or user input.

stigmem-node's Postgres Schema Identifier Handling Vulnerability

What Happened

Who Is Affected

Severity & Impact

Mitigation

Sources

More news posts

Daemon Tools Lite Vulnerability Under Active Exploitation

Nx Console Vulnerability Allows Credential Harvesting