Critical SQL Injection Flaw in /users Endpoint Allows Full Database Exposure

A security audit has identified a critical SQL injection vulnerability in the `/users` endpoint of the affected application, allowing attackers to retrieve all database records by exploiting unsanitized query parameters. The flaw, rated Critical with a CVSS score of 9.8, affects all versions from v1.0.0 through v1.2.0 and has been reproduced in both staging and production environments running Node.js 18 with [email protected].

The vulnerability stems from raw SQL query construction that directly incorporates user input without parameterization. A proof-of-concept demonstrates that sending `GET /users?filter=1 OR 1=1--` returns every record in the `users` table, bypassing intended filters entirely. This occurs because the application fails to use parameterized queries, instead concatenating unsanitized input directly into SQL statements. The recommended fix involves passing query parameters as bound inputs using `pool.query('SELECT * FROM users WHERE id = $1', [id])`.

The potential impact is severe. An attacker exploiting this flaw could exfiltrate the entire database, including password hashes and personally identifiable information (PII). The report also notes the possibility of data deletion or manipulation. The vulnerability was disclosed through a security audit conducted by @secteam on April 20, 2026. Organizations running affected versions should immediately patch or implement input parameterization to prevent unauthorized database access.