CVE-2020-4035

Name of the Vulnerable Software and Affected Versions @nozbe/watermelondb versions prior to 0.15.1 @nozbe/watermelondb versions prior to 0.16.2

Description A maliciously crafted record ID can exploit a SQL Injection vulnerability in the iOS adapter implementation, causing the app to delete all or selected records from the database. This may happen in apps that don't validate IDs and use Watermelon Sync or the low-level database.adapter.destroyDeletedRecords method. The integrity risk is low due to the fact that maliciously deleted records won't synchronize, so logout-login will restore all data. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated because it's not possible to nest an insert/update query inside a delete query in SQLite.

Recommendations For versions prior to 0.15.1, update to version 0.15.1 or later. For versions prior to 0.16.2, update to version 0.16.2 or later. As a temporary workaround, ensure that your backend service sanitizes record IDs sent in the "pull sync" endpoint, such that only IDs matching /^[a-zA-Z0-9 -.]+$/ are returned. If you use destroyDeletedRecords directly, validate all IDs passed the same way.