Security context
HighGHSA-4mg9-vhxq-vm7j CWE-89Published Apr 29, 2021

SQL Server LIMIT / OFFSET SQL Injection in laravel/framework and illuminate/database

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

8.0.0 → fixed in 8.40.00 → fixed in 6.20.26

Details

### Impact Those using SQL Server with Laravel and allowing user input to be passed directly to the `limit` and `offset` functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability. ### Patches This problem has been patched on Laravel versions 6.20.26, 7.30.5, and 8.40.0. ### Workarounds You may workaround this vulnerability by ensuring that only integers are passed to the `limit` and `offset` functions, as well as the `skip` and `take` functions.

The fix

No fix commit could be resolved for this advisory (it may reference an issue tracker or a non-GitHub patch). See the references below.

References