js · dbgate-apiCritical
DbGate API: Arbitrary Code Execution via Unsanitized functionName in POST /runners/load-reader
The POST /runners/load-reader endpoint directly interpolates the functionName parameter into a JavaScript code template without sanitization, allowing arbitrary code execution via process.
What changed
The POST /runners/load-reader endpoint directly interpolates the functionName parameter into a JavaScript code template without sanitization, allowing arbitrary code execution via process.binding("spawn_sync").
Who it affects
All DbGate server instances with authenticated users (basic access, no special permissions required).
What to do today
Apply the vendor patch or disable the /runners/load-reader endpoint until a fix is deployed.
The trail
Collected→
Audited→
Written→
Published