Achrinz

**Name of the Vulnerable Software and Affected Versions** LoopBack versions prior to 5.5.1 **Description** Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. This affects users who connect to the database via the DataSource with `allowExtendedProperties: true` setting, use the connector's CRUD methods directly, or use the connector's other methods to interpret the LoopBack filter. **Recommendations** For versions prior to 5.5.1, upgrade to version 5.5.1 to resolve the issue. If unable to upgrade, remove `allowExtendedProperties: true` DataSource setting and add `allowExtendedProperties: false` DataSource setting. When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand.