GMS-2023-755: sqlite vulnerable to code execution due to Object coercion

March 16, 2023 (updated March 22, 2023)

Due to the underlying implementation of .ToString(), it’s possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object. Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.

References

github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781
github.com/TryGhost/node-sqlite3/security/advisories/GHSA-jqv5-7xpx-qj74
github.com/advisories/GHSA-jqv5-7xpx-qj74

Code Behaviors & Features

Detect and mitigate GMS-2023-755 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →