GHSA-38CW-85XC-XR9X: Identity Crisis: Dumping Veramo's Digital Wallets via SQL Injection
Published: (January 16, 2026 at 08:03 PM EST)
2 min read
Source: Dev.to
Source: Dev.to
Vulnerability Overview
- Vulnerability ID: GHSA-38CW-85XC-XR9X
- CVE: N/A
- CVSS Score: 6.8 (Medium)
- Published: 2026-01-16
- CWE: CWE‑89 (SQL Injection)
- Attack Vector: Network (Authenticated)
- Impact: High – confidentiality and integrity of private keys and verifiable credentials
A critical SQL injection flaw exists in the Veramo framework’s data storage layer. Authenticated attackers can manipulate the order parameter in API requests, causing the ORM to execute arbitrary SQL and dump the entire database, including DIDs, private keys, and verifiable credentials.
Affected Components
| Package | Versions Affected | Fixed In |
|---|---|---|
@veramo/data-store | < 6.0.2 | 6.0.2 |
@veramo/data-store-json | < 6.0.2 | 6.0.2 |
The vulnerable function is decorateQB() in data-store-orm.ts.
Patch Details
--- a/packages/data-store/src/data-store-orm.ts
+++ b/packages/data-store/src/data-store-orm.ts
@@ -1,4 +1,5 @@
+import { ALLOWED_COLUMNS } from './constants'
...
- qb = qb.addSelect(
- qb.connection.driver.escape(tableName) + '.' + qb.connection.driver.escape(item.column),
- item.column,
- )
+ if (!ALLOWED_COLUMNS.includes(item.column)) {
+ throw new Error('Invalid column')
+ }Key changes
- Added an allow‑list (
ALLOWED_COLUMNS) for column names. - The ORM now throws an error when an unexpected column is requested, preventing malicious ordering clauses.
Remediation Steps
-
Upgrade Packages
# Using npm npm install @veramo/data-store@^6.0.2 @veramo/data-store-json@^6.0.2 # Using yarn yarn add @veramo/data-store@^6.0.2 @veramo/data-store-json@^6.0.2 -
Restart the Veramo Agent to load the updated libraries.
-
Custom Data Stores
If you have overriddendecorateQB, ensure you perform the same allow‑list check for column names. -
Least‑Privilege Database Access
- Restrict the database user used by the Veramo agent so it cannot read the
private-keytable unless required. - Consider storing private keys in a separate, more tightly controlled backend.
- Restrict the database user used by the Veramo agent so it cannot read the
References
- GitHub Security Advisory: GHSA-38CW-85XC-XR9X
- Veramo Framework Documentation – https://veramo.io/docs
For a full technical analysis, including interactive diagrams and exploit details, refer to the advisory on the official website.