Aatomical

**Name of the Vulnerable Software and Affected Versions** Ormar versions 0.9.9 through 0.22.0 **Description** Ormar is an async mini ORM for Python. Versions 0.9.9 through 0.22.0 are susceptible to a SQL injection flaw when performing aggregate queries. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter without validation. This allows an attacker to embed raw SQL inside the aggregate function call, potentially enabling them to read the entire database content, including unrelated tables, by injecting a subquery. The vulnerability arises because `sqlalchemy.text()` is used to construct SQL expressions directly from user-supplied column names without sanitization. The `sum()` and `avg()` methods have partial protection with a type check, but `min()` and `max()` do not. The vulnerability was discovered through the ability to execute subqueries via the `min()` and `max()` aggregate functions. An attacker can enumerate database tables, extract schemas, and dump credentials without authentication. **Recommendations** Update to version 0.23.0 or later.