software

GHSA-38CW-85XC-XR9X: Identity Crisis: Dumping Veramo's Digital Wallets via SQL Injection

Published: (January 16, 2026 at 08:03 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

Vulnerability Overview

  • Vulnerability ID: GHSA-38CW-85XC-XR9X
  • CVE: N/A
  • CVSS Score: 6.8 (Medium)
  • Published: 2026-01-16
  • CWE: CWE‑89 (SQL Injection)
  • Attack Vector: Network (Authenticated)
  • Impact: High – confidentiality and integrity of private keys and verifiable credentials

A critical SQL injection flaw exists in the Veramo framework’s data storage layer. Authenticated attackers can manipulate the order parameter in API requests, causing the ORM to execute arbitrary SQL and dump the entire database, including DIDs, private keys, and verifiable credentials.

Affected Components

PackageVersions AffectedFixed In
@veramo/data-store< 6.0.26.0.2
@veramo/data-store-json< 6.0.26.0.2

The vulnerable function is decorateQB() in data-store-orm.ts.

Patch Details

--- a/packages/data-store/src/data-store-orm.ts
+++ b/packages/data-store/src/data-store-orm.ts
@@ -1,4 +1,5 @@
+import { ALLOWED_COLUMNS } from './constants'
...
-      qb = qb.addSelect(
-        qb.connection.driver.escape(tableName) + '.' + qb.connection.driver.escape(item.column),
-        item.column,
-      )
+      if (!ALLOWED_COLUMNS.includes(item.column)) {
+        throw new Error('Invalid column')
+      }

Key changes

  • Added an allow‑list (ALLOWED_COLUMNS) for column names.
  • The ORM now throws an error when an unexpected column is requested, preventing malicious ordering clauses.

Remediation Steps

  1. Upgrade Packages

    # Using npm
npm install @veramo/data-store@^6.0.2 @veramo/data-store-json@^6.0.2

# Using yarn
yarn add @veramo/data-store@^6.0.2 @veramo/data-store-json@^6.0.2

  2. Restart the Veramo Agent to load the updated libraries.

  3. Custom Data Stores
    If you have overridden decorateQB, ensure you perform the same allow‑list check for column names.

  4. Least‑Privilege Database Access

    • Restrict the database user used by the Veramo agent so it cannot read the private-key table unless required.
    • Consider storing private keys in a separate, more tightly controlled backend.

References

For a full technical analysis, including interactive diagrams and exploit details, refer to the advisory on the official website.

Back to Blog

Related posts

Read more »

Rapg: TUI-based Secret Manager

We've all been there. You join a new project, and the first thing you hear is: > 'Check the pinned message in Slack for the .env file.' Or you have several .env...

Technology is an Enabler, not a Saviour

Why clarity of thinking matters more than the tools you use Technology is often treated as a magic switch—flip it on, and everything improves. New software, pl...