Daniel Kachakil from Anvil Secure has published one of the most detailed public analyses of AQL injection in ArangoDB. The research shows how unsafe handling of user input during dynamic AQL query construction can lead to injection vulnerabilities similar to SQL injection. When query strings are built through concatenation instead of strict parameter binding, an attacker can inject arbitrary AQL expressions and execute unintended operations in the application's context.

Depending on the affected query and privilege model, this can result in unauthorized data access or modification, access control bypass, and privilege escalation within ArangoDB-backed applications. No specific versions are identified as affected; the issue applies generally to deployments where AQL queries are constructed dynamically without secure parameterization. Exploitation requires only user influence over input incorporated into AQL queries.

📎 Article: https://www.anvilsecure.com/blog/exploiting-aql-injection-vulnerabilities-in-arangodb.html

💬 Discuss

ArangoDB AQL Injections